Libpcap - Aesa's Notes

### What is is? `libpcap` is a packet capture library used for network traffic monitoring and analysis. It provides a platform-independent interface for capturing network packets and allows users to filter and process the captured packets in real-time or offline. Originally developed for Unix-like operating systems, `libpcap` has since been ported to various platforms including Windows and macOS. It is widely used in network analysis tools such as Wireshark, tcpdump, and Snort, as well as in security applications for intrusion detection and network forensics. `libpcap` provides a high-level API for packet capture, with functions to open a network interface, set capture filters, start and stop packet capture, and process captured packets. It also includes a low-level interface for more advanced usage, allowing direct access to the raw packet data. ### How might I use this in Scala ```scala import java.util.{Date, Locale} import org.jnetpcap.Pcap import org.jnetpcap.packet.PcapPacket import scala.collection.mutable.Map import cats.effect._ import cats.effect.std.Queue import cats.effect.syntax.all._ import cats.syntax.all._ object PcapStats { def main(args: Array[String]): IO[Unit] = { val device = args(0) val snaplen = 64 * 1024 // capture all packets val promisc = Pcap.MODE_PROMISCUOUS // capture all packets val timeout = 10 * 1000 // 10 seconds IO { val errbuf = new StringBuilder() val pcap = Pcap.openLive(device, snaplen, promisc, timeout, errbuf) if (pcap == null) { println("Error opening device: " + errbuf.toString) sys.exit(1) } pcap }.bracket { pcap => for { // Queue to store packets asynchronously packetQueue <- Queue.bounded[IO, PcapPacket](1024) // Map to store statistics for each source IP address stats <- Ref.of[IO, Map[String, Long]](Map.empty) // Fiber to handle packet processing _ <- packetProcessor(packetQueue, stats).start // Fiber to handle statistics printing _ <- printStats(stats).start // Start capturing packets _ <- capturePackets(pcap, packetQueue).start } yield () } { pcap => IO(pcap.close()) } } def capturePackets(pcap: Pcap, packetQueue: Queue[IO, PcapPacket]): IO[Unit] = { for { _ <- IO(pcap.loop(-1, (packet: PcapPacket, _: String) => packetQueue.offer(packet).unsafeRunAndForget, "")) _ <- IO(println("Capture finished")) } yield () } def packetProcessor(packetQueue: Queue[IO, PcapPacket], stats: Ref[IO, Map[String, Long]]): IO[Unit] = { def processPacket(packet: PcapPacket): IO[Unit] = { // Get source IP address and packet length val srcIp = packet.getUByte(26) + "." + packet.getUByte(27) + "." + packet.getUByte(28) + "." + packet.getUByte(29) val len = packet.size() // Update statistics stats.update(_.updated(srcIp, stats.get.getOrElse(srcIp, 0L) + len)) } packetQueue.take.bracket { packet => processPacket(packet) } { _ => packetProcessor(packetQueue, stats) } } def printStats(stats: Ref[IO, Map[String, Long]]): IO[Unit] = { def printLoop: IO[Unit] = { for { _ <- IO.sleep(5.seconds) s <- stats.get _ <- s.toList.traverse { case (ip, bytes) => IO(println(s"$ip: $bytes")) } } yield () } printLoop.foreverM[Unit] } } ```