Pcap-Local & xtractr
Akira
I'm trying to figure out if it's possible to interact xtracr ruby API
with pcapr-local .
When I create a new instance with the pcapr local server, the ruby
console returns the tailored code.
thanks in advance.
irb(main):005:0> xtractr = Mu::Xtractr.new
JSON::ParserError: 737: unexpected token at '<!DOCTYPE html>
<html>
<head>
<style type="text/css">
body { text-align:center;font-family:helvetica,arial;font-size:22px;
color:#888;margin:20px}
#c {margin:0 auto;width:500px;text-align:left}
</style>
</head>
<body>
<h2>Sinatra doesn't know this ditty.</h2>
<img src='/__sinatra__/404.png'>
<div id="c">
Try this:
<pre>get '/api/about' do
"Hello World"
end</pre>
</div>
</body>
</html>
'
from /usr/lib/ruby/gems/1.8/gems/json-1.5.1/lib/json/common.rb:
148:in `parse'
from /usr/lib/ruby/gems/1.8/gems/json-1.5.1/lib/json/common.rb:
148:in `parse'
from /usr/lib/ruby/gems/1.8/gems/xtractr-4.5.35634/./mu/
xtractr.rb:239:in `json'
from /usr/lib/ruby/gems/1.8/gems/xtractr-4.5.35634/./mu/
xtractr.rb:120:in `about'
from /usr/lib/ruby/gems/1.8/gems/xtractr-4.5.35634/./mu/
xtractr.rb:108:in `initialize'
from (irb):5:in `new'
from (irb):5
kowsik
We haven't quite documented the pcapr.Local API yet (work in
progress), but if you look in lib/pcapr_local/server.rb, you'll see
the various mount points for the RESTful calls. For example:
curl 'http://server/pcaps/1/list?by=date&limit=20'
will return the meta data for up to 20 pcaps.
Assuming you have a pcap with an id of 'cafebabe', you can pass in
this URL as the starting point for xtractr browsing, like so:
x = Mu::Xtractr.create 'http://localhost:9292/pcaps/1/pcap/cafebabe'
This will cause pcapr.Local to load the appropriate pcap into xtractr
and all xtractr queries will now get routed through properly. This is
also how you can run various xtractr queries across your entire
collection of pcaps, if you want to do some intra-pcap data mining.
Thanks,
The Pcapr Team
---
http://www.pcapr.net
http://twitter.com/pcapr
http://labs.mudynamics.com
> --
> To post to this group, send email to pcapr...@googlegroups.com
> To unsubscribe from this group, send email to
> pcapr-forum...@googlegroups.com
>
> http://www.pcapr.net/
Akira
Thanks for the *really* fast answer (damn, I've just discovered your
reply....I was waiting for an email-notification that never arrived)
Anyway, I've tried what you suggested and it works perfectly!
During recent days I've been trying to figure out how to do it, by
reading the source code of xtractr/pcapr gems , but you gave me the
right way in just few lines, great.
However, I'm little confused about the difference (if there is)
between xtractr and pcapr-local.
I mean,the gem pcapr-local include a new version of xtractr, or are
two different things?
And the last question is: by scripting with these gems , everything
is accomplished in my local network right? Considering the
confidential nature of the pcaps that I daily analyze, I can't share
*any* kind of data about those - that's why I was so happy to read
about pcapr-local.
Really thanks again,
akira
On May 13, 5:24 pm, kowsik <kow...@gmail.com> wrote:
> Akira,
> We haven't quite documented the pcapr.Local API yet (work in
> progress), but if you look in lib/pcapr_local/server.rb, you'll see
> the various mount points for the RESTful calls. For example:
>
> curl 'http://server/pcaps/1/list?by=date&limit=20'
>
> will return the meta data for up to 20 pcaps.
>
> Assuming you have a pcap with an id of 'cafebabe', you can pass in
> this URL as the starting point for xtractr browsing, like so:
>
> x = Mu::Xtractr.create 'http://localhost:9292/pcaps/1/pcap/cafebabe'
>
> This will cause pcapr.Local to load the appropriate pcap into xtractr
> and all xtractr queries will now get routed through properly. This is
> also how you can run various xtractr queries across your entire
> collection of pcaps, if you want to do some intra-pcap data mining.
>
> Thanks,
> The Pcapr Team
kowsik
> Hey kowsik,
> Thanks for the *really* fast answer (damn, I've just discovered your
> reply....I was waiting for an email-notification that never arrived)
:)
> Anyway, I've tried what you suggested and it works perfectly!
> During recent days I've been trying to figure out how to do it, by
> reading the source code of xtractr/pcapr gems , but you gave me the
> right way in just few lines, great.
>
> However, I'm little confused about the difference (if there is)
> between xtractr and pcapr-local.
> I mean,the gem pcapr-local include a new version of xtractr, or are
> two different things?
We originally wrote the xtractr ruby gem to go against a single
instance of xtractr (against a single pcap). pcapr.Local, while still
uses xtractr under the hood, is for managing large collections of
pcaps and adds the automatic indexing and three-way reconciliation.
What's missing in the xtractr gem is the pcapr.Local RESTful calls and
the newly introduced objects, which we haven't added yet.
Ideally the API would look like this:
pcapr = Pcapr::Local.new http://localhost:9292
pcapr.each_pcap(:by => :date, :limit => 20, :descending => true) do |pcap|
xtractr = pcap.xtractr # this will return an instance of Mu::Xtractr
...
end
This also means you can do inter-pcap analysis very easily, like this
example, where you can pull out all the PNG images from all pcaps that
contain HTTP flows.
pcapr = Pcapr::Local.new http://localhost:9292
pcapr.each_pcap(:by => :service, :key => 'http', :limit => 20) do |pcap|
xtractr = pcapr.xtractr
xtractr.flows('flow.service:http favicon.ico').each do |flow|
flow.contents.first.save(...)
end
end
> And the last question is: by scripting with these gems , everything
> is accomplished in my local network right? Considering the
> confidential nature of the pcaps that I daily analyze, I can't share
> *any* kind of data about those - that's why I was so happy to read
> about pcapr-local.
Absolutely! Nothing ever leaks out.
K.
Akira
Your examples have perfectly figured out what I was looking for.
I'm looking forward to write here again,
this is an excellent forum,
thank you again mate.
On May 24, 7:45 pm, kowsik <kow...@gmail.com> wrote:
> > Hey kowsik,
> > Thanks for the *really* fast answer (damn, I've just discovered your
> > reply....I was waiting for an email-notification that never arrived)
>
> :)
>
> > Anyway, I've tried what you suggested and it works perfectly!
> > During recent days I've been trying to figure out how to do it, by
> > reading the source code of xtractr/pcapr gems , but you gave me the
> > right way in just few lines, great.
>
> > However, I'm little confused about the difference (if there is)
> > between xtractr and pcapr-local.
> > I mean,the gem pcapr-local include a new version of xtractr, or are
> > two different things?
>
> We originally wrote the xtractr ruby gem to go against a single
> instance of xtractr (against a single pcap). pcapr.Local, while still
> uses xtractr under the hood, is for managing large collections of
> pcaps and adds the automatic indexing and three-way reconciliation.
> What's missing in the xtractr gem is the pcapr.Local RESTful calls and
> the newly introduced objects, which we haven't added yet.
>
> Ideally the API would look like this:
>
> xtractr = pcap.xtractr # this will return an instance of Mu::Xtractr
> ...
> end
>
> This also means you can do inter-pcap analysis very easily, like this
> example, where you can pull out all the PNG images from all pcaps that
> contain HTTP flows.
>
Akira
here I am again.
I was trying your code, but I wasn't able to find the way to execute
it .
Thus, there is no module "Pcapr" inside the pcapr_local library, nor
any class "local".
In addition, looking inside pcapr_local.rb there is no way to initiate
an instance like you are trying to do.
Do I miss something?
thank you
akira
>
kowsik
> Hi kowsik,
> here I am again.
>
> I was trying your code, but I wasn't able to find the way to execute
> it .
> Thus, there is no module "Pcapr" inside the pcapr_local library, nor
> any class "local".
> In addition, looking inside pcapr_local.rb there is no way to initiate
> an instance like you are trying to do.
>
> Do I miss something?
I guess I wasn't being clear in the last email. We haven't yet
implemented the Pcapr object. The idea behind having pcapr.Local be
RESTful is so that such a thing would be possible. That said, we are
looking into it and will post a note when it's ready.
Thanks,
The Pcapr Team
Akira
I'm looking forward to see that post therefore.
Cheers!
On May 26, 6:13 pm, kowsik <kow...@gmail.com> wrote: