Thanks for the tip. I've been wanting to implement a proper timeout.
The current one is packet dependant. It works, but it's not nice.

I tried telnet and netcat to portknock but if there's no port open,
nothing comes up in the dump. I don't know why that is but I'm guessing
that libpcap only shows the packets if the TCP session is established.
Maybe there is an option to change that behaviour but I couldn't find
it. You can try it just with tcpdump -n.  When you try to connect to
the local ip address using port 7000, it doesn't show up in the dump.
Same deal with ruby-libpcap(same library).

require 'pcap'
dev = Pcap.lookupdev
cap = Pcap::Capture.open_live(dev)
cap.loop do |pkt|
    puts pkt
end

I am using MacOS 10.4 so it may be some Mac weirdness at the kernel
level or how libpcap talks to the kernel but I've had no success so
far. That's why I was interested to see if anyone else had done it.

Sven