It’s been a while since I last reported on the status of my Wireshark wrapper for Ruby. This past Thanksgiving weekend I put alot of time into it, and I’m pretty pleased with the progress.

I’ve made a few major changes to accommodate my long-term use for this wrapper, which is to index and analyze hundreds of gigabytes of captured network traffic.

I’ve not posted recently on the progress of my Ruby extension to wrap Wireshark’s packet dissectors and expose a complete protocol tree to Ruby.

I’ve finally reached a point where the initial groundwork is in place and I have a workable solution. I had severe performance problems, and ended up implementing a lookaside list to keep a cache of reusable C++ objects to avoid excess memory pressure, and also switched to use the Ruby memory allocator, which will trigger a GC if necessary to satisfy a memory request.

In the previous episode, I was struggling with the Ruby extension build environment on Windows. I finally gave up and created a Visual C++ 2005 project that built the extension, and wrote a post-build step to copy the files into the Ruby install directory. Obviously this is a short-term hack; I’ll need to get something that will build on *NIX, but I don’t want to spend any more time on the fucking build environment right now.

Lately I’ve been playing with wireless network monitoring, using kismet. Kismet produces dumps of all wireless traffic in libpcap-compatible packet captures, which is the same format used by Wireshark, tcpdump, and any other packet capture tool worth its salt.

The problem is that after a week of capturing, I have several gigabytes of capture files, though most of the captured packets are 802.11 beacons that have no information in them. Wireshark eats shit and dies on a 500MB capture file, so a 2GB one is out of the question.