More Fun With Pcap
I'm currently expanding the functionality of my AOL Instant Messenger interceptor for a project I'm working on with a researcher from IBM. For this particular project, the script will need to be able to intercept timestamps and screen names in addition to the data the program is already equipped to capture. Timestamps are easy, because they are handled entirely by the client application and aren't really part of the protocol. It's really as easy as adding a #{Time.now} to the relevant output string.
Screen names are a lot more challenging. The OSCAR protocol only embeds the destination screen name in outgoing messages and the sender screen name in incoming messages. As a result, it is very difficult to identify the screen name of the other party associated with each message. The packet sniffer will have to intercept the screen names during the sign-on process and associate those screen names with a local network IP address. I'm not sure yet, but the fact that the OSCAR protocol uses encryption for login strings might make this a lot more interesting.
The script has to be able to intercept data from two separate network interfaces simultaneously. In other programming languages this might be a problem, but thanks to Ruby's excellent support for simple threading, I can do it with relative ease. The following is a trivial example that demonstrates how to monitor packets from multiple interfaces at the same time using Ruby:
pc1 = Pcaplet.new("-s 1500 -i eth1") pc2 = Pcaplet.new("-s 1500 -i eth3") f1 = Pcap::Filter.new("tcp", pc1.capture) f2 = Pcap::Filter.new("tcp", pc2.capture) def display dev, pck puts "#{dev}: #{pck.tcp_data}" end fork { pc1.each_packet {|pk| display "eth1", pk} } pc2.each_packet {|pk| display "eth3", pk}
The power and elegance of Ruby never cease to impress me.
Tags: ruby, programming, pcap, oscar
Posted on 2006-06-140 comments
