Class: Mu::Xtractr::Packet

Inherits:

Object

• Object
• Mu::Xtractr::Packet

Includes:

Enumerable

Defined in:

lib/mu/xtractr/packet.rb,
lib/mu/xtractr/test/tc_packet.rb

Overview

xtractr.packets(‘blah’).each { |pkt| … }

Defined Under Namespace

Classes: Test

Instance Attribute Summary

• #dir ⇒ Object readonly

  The direction of the packet (if it belongs to a flow).

• #dst ⇒ Object readonly

  The destination host of the packet.

• #id ⇒ Object readonly

  The unique ID of the packet.

• #length ⇒ Object readonly

  The length of the packet (the entire frame).

• #offset ⇒ Object readonly

  The file offset of the packet within the pcap.

• #service ⇒ Object readonly

  The service of the packet.

• #src ⇒ Object readonly

  The source host of the packet.

• #time ⇒ Object readonly

  The relative timestamp of the packet.

• #title ⇒ Object readonly

  The title of the packet.

• #xtractr ⇒ Object readonly

  :nodoc:.

Instance Method Summary

• #[](name) ⇒ Object (also: #field)

  Fetch the values of the specified field for this packet.

• #bytes ⇒ Object

  Fetch the actual packet data from the index.

• #each_field(regex = nil) ⇒ Object (also: #each)

  Iterate over each Field::Value in the packet.

• #flow ⇒ Object

  Returns the flow (if any) that this packet belongs to.

• #initialize(xtractr, json) ⇒ Packet constructor

  :nodoc:.

• #inspect ⇒ Object

  :nodoc:.

• #payload ⇒ Object

  For UDP/TCP (both IPv4 and IPv6) packets, fetch just the layer4 payload.

• #save(filename) ⇒ Object

  Extract just this packet and save it to the specified file as a pcap.

Constructor Details

#initialize(xtractr, json) ⇒ Packet

:nodoc:

# File 'lib/mu/xtractr/packet.rb', line 53

def initialize xtractr, json # :nodoc:
    @xtractr = xtractr
    @id      = json['id']
    @offset  = json['offset']
    @length  = json['length']
    @pcap_id = json['pcap']
    @flow_id = json['flow']
    @time    = json['time']
    @dir     = json['dir']
    @src     = Host.new xtractr, json['src']
    @dst     = Host.new xtractr, json['dst']
    @service = Service.new xtractr, json['service']
    @title   = json['title']
end

Instance Attribute Details

#dir ⇒ Object (readonly)

The direction of the packet (if it belongs to a flow).

# File 'lib/mu/xtractr/packet.rb', line 39

def dir
  @dir
end

#dst ⇒ Object (readonly)

The destination host of the packet.

# File 'lib/mu/xtractr/packet.rb', line 45

def dst
  @dst
end

#id ⇒ Object (readonly)

The unique ID of the packet.

# File 'lib/mu/xtractr/packet.rb', line 27

def id
  @id
end

#length ⇒ Object (readonly)

The length of the packet (the entire frame).

# File 'lib/mu/xtractr/packet.rb', line 33

def length
  @length
end

#offset ⇒ Object (readonly)

The file offset of the packet within the pcap.

# File 'lib/mu/xtractr/packet.rb', line 30

def offset
  @offset
end

#service ⇒ Object (readonly)

The service of the packet.

# File 'lib/mu/xtractr/packet.rb', line 48

def service
  @service
end

#src ⇒ Object (readonly)

The source host of the packet.

# File 'lib/mu/xtractr/packet.rb', line 42

def src
  @src
end

#time ⇒ Object (readonly)

The relative timestamp of the packet.

# File 'lib/mu/xtractr/packet.rb', line 36

def time
  @time
end

#title ⇒ Object (readonly)

The title of the packet.

# File 'lib/mu/xtractr/packet.rb', line 51

def title
  @title
end

#xtractr ⇒ Object (readonly)

:nodoc:

# File 'lib/mu/xtractr/packet.rb', line 24

def xtractr
  @xtractr
end

Instance Method Details

#[](name) ⇒ Object Also known as: field

Fetch the values of the specified field for this packet. Even if there’s only a single value for the field, it’s returned as an array of 1 element

packet.field('ip.ttl').each { |ttl| ... }

# File 'lib/mu/xtractr/packet.rb', line 112

def [] name
    result = xtractr.json "/api/packet/#{id}/field/#{name}"
    return result['rows']
end

#bytes ⇒ Object

Fetch the actual packet data from the index. The return value is a String (that might contain null characters).

xtractr.packets('index.html').first.bytes

# File 'lib/mu/xtractr/packet.rb', line 78

def bytes
    result = xtractr.json "/api/packet/#{id}/bytes"
    result['bytes'].map { |b| b.chr }.join('')
end

#each_field(regex = nil) ⇒ Object Also known as: each

Iterate over each Field::Value in the packet. The various packet fields are only available if the indexing was done with –mode forensics.

packet.each('ip.ttl') { |fv| ... }

# File 'lib/mu/xtractr/packet.rb', line 98

def each_field(regex=nil) # :yields: value
    regex = Regexp.new(regex) if regex.is_a? String
    result = xtractr.json "/api/packet/#{id}/fields"
    rows = result['rows']
    rows = rows.select { |row| row['key'] =~ regex } if regex        
    rows.each do |row|
        value = Field::Value.new(xtractr, row)
        yield value
    end
end

#flow ⇒ Object

Returns the flow (if any) that this packet belongs to.

xtractr.packets('index.html').first.flow

# File 'lib/mu/xtractr/packet.rb', line 70

def flow
    return nil if @flow_id.zero?
    @flow ||= xtractr.flow @flow_id
end

#inspect ⇒ Object

:nodoc:

# File 'lib/mu/xtractr/packet.rb', line 129

def inspect # :nodoc:
    "#<pkt:#{id} #{src.address} > #{dst.address} #{service.name} #{title}"
end

#payload ⇒ Object

For UDP/TCP (both IPv4 and IPv6) packets, fetch just the layer4 payload. Returns an empty string for all other types of packet.

xtractr.packets('http.request.method:GET').each do |pkt|
    puts pkt.payload
end

# File 'lib/mu/xtractr/packet.rb', line 88

def payload
    result = xtractr.json "/api/packet/#{id}/bytes"
    bytes = result['bytes']
    l4size = result['l4size'] || 0
    bytes[-l4size, l4size].map { |b| b.chr }.join('')
end

#save(filename) ⇒ Object

Extract just this packet and save it to the specified file as a pcap. You can also save a collection of packets using Packets#save or a collection of flows using Flows#save.

packet.save("foo.pcap")

# File 'lib/mu/xtractr/packet.rb', line 121

def save filename
    open(filename, "w") do |ios|
        pcap = xtractr.get "api/packet/#{id}/pcap"
        ios.write pcap
    end
    return self
end