Class: FlowTag::PcapParser

Inherits:

Object

• Object
• FlowTag::PcapParser

Defined in:

lib/flowtag/pcapparser.rb

Constant Summary

LINKTYPE_ETH =

0x0001

LINKTYPE_SLL =

0x0071

Instance Method Summary

• #close ⇒ Object
• #each ⇒ Object
• #initialize(pcapfh) ⇒ PcapParser constructor

  A new instance of PcapParser.

• #nextpkt ⇒ Object

Constructor Details

#initialize(pcapfh) ⇒ PcapParser

Returns a new instance of PcapParser.

# File 'lib/flowtag/pcapparser.rb', line 21

def initialize(pcapfh)
	@offset = 0
	@bigendian = nil
	@fh = pcapfh
	@fh.seek 0
	magic = @fh.read(4).unpack("N")[0]
	@bigendian = (magic == 0xa1b2c3d4) ? true : false
	endian = (@bigendian) ? "nnNNNN" : "vvVVVV"
	@version_major, @version_minor, @zone, @significant_figures, @snaplength, @linktype = @fh.read(20).unpack(endian)
	@offset += 24
	if @linktype != LINKTYPE_ETH
		puts "Only ethernet is supported, sorry."
		exit
	end
end

Instance Method Details

#close ⇒ Object

# File 'lib/flowtag/pcapparser.rb', line 53

def close
	@fh.close unless @fh.tty?
end

#each ⇒ Object

# File 'lib/flowtag/pcapparser.rb', line 47

def each
	while ! @fh.eof?
		yield nextpkt
	end
end

#nextpkt ⇒ Object

# File 'lib/flowtag/pcapparser.rb', line 37

def nextpkt
	endian = (@bigendian) ? "NNNN" : "VVVV"
	pkt = {}
	tv_sec, tv_usec, caplen, origlen = @fh.read(16).unpack(endian)
	time = tv_sec + (tv_usec / 1E6)
	data = @fh.read(caplen)
	@offset += 16+caplen
	return Packet.new(time, data)
end