Sniffing HTTP traffic using the packetfu gem

Installation

Type apt-get install libpcap-dev and then gem install packetfu.

Usage

require 'packetfu'

include PacketFu
iface = "eth0"
a = []

cap = Capture.new(:iface => iface, :start => true)

cap.stream.each do |p|

  pkt = Packet.parse p
  a << pkt if pkt.respond_to? :tcp_src and pkt.tcp_src == 80

  if pkt.is_ip?
    next if pkt.ip_saddr == Utils.ifconfig(iface)[:ip_saddr]
    packet_info = [pkt.ip_saddr, pkt.ip_daddr, pkt.size, pkt.proto.last]
    puts "%-15s -> %-15s %-4d %s" % packet_info
  end

end


a2 = a.select {|x| x.payload =~ /Edinburgh/i}

The above example will sniff out HTTP traffic which contains the keyword 'Edinburgh'.

Resources