Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options

simple perl sniffer

by marcos (Scribe)
on May 08, 2000 at 15:36 UTC ( #10594=perlquestion: print w/replies, xml ) Need Help??

marcos has asked for the wisdom of the Perl Monks concerning the following question:

I would like to write a simple network sniffer in perl. The script should take the protocol (I would like to have the possibility to choose either udp or tcp) and the port from the command line, and then print out everything that goes through that port. I've seen a perl script that uses 'tcpdump', but I would like to write everything in perl. I wrote some simple script using IO::Socket::INET, but I don't know how to write a scrpt that works like a sniffer.

Replies are listed 'Best First'.
RE: simple perl sniffer
by lhoward (Vicar) on May 08, 2000 at 17:11 UTC
    I recommend checking out Net::Pcap, Net::PcapUtils, and the NetPacket CPAN modules. Net::Pcap is an perl interface straight into libpcap (libpcap is a packet sniffing library on which most UNIX sniffers are based; tcpdump is written using libpcap). Net::PcapUtils is a more perl-like interface to Net::Pcap that is a bit easier to use than raw Net::Pcap. The NetPacket module provide parsing for a few (but the most common) layer 2, 3, and 4 protocols (ICMP, IP, TCP, UDP, ARP, Ethernet, etc...). With these tools you can put together custom sniffer utilities very quickly.

    Here's a simple example of a script that sniffs an ethernet line for all TCP/IP packets bound to/from a particular host and dumps out the source/destination IP address/port and a hex dump of the packet's contents:

    #!/usr/bin/perl -w use strict; use Net::PcapUtils; use NetPacket::Ethernet; use NetPacket::IP; use NetPacket::TCP; use Data::HexDump; Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip host') +; my $i=0; sub process_pkt { my ($user_data,$hdr,$pkt)=@_; my $eth=NetPacket::Ethernet->decode($pkt); if($eth->{type} == 2048){ my $ip=NetPacket::IP->decode($eth->{data}); if($ip->{proto} == 6){ my $tcp=NetPacket::TCP->decode($ip->{data}); print "\n\n$i $ip->{src_ip}($tcp->{src_port}) -> $ip->{dest_ip}( +$tcp->{dest_port})\n"; print HexDump $ip->{data}; $i++; } } }
      Thank you for your suggestion. Unfortunately I think I can't use the modules you mentioned under NT: there's no libpcap under NT. Once again I think that I have to install also Linux on my laptop. As soon as I have Linux up and running I will surely try these modules and build my own simple sniffer in perl :)

      thank you
        Just a quick post for prosperity - The Pcap library can be obtained in source and binary forms from and are quite mature in nature.


        I have worked with some Packet Capturing libraries for NT, but none of which have a Perl interface. If you want to write a sniffer like tool for NT I'm afraid you're stuck using C, C++ or something similar.
      Thanks a bunch for the pointers and sample code. I just happened to have the same question (sniffing in perl), and your post has jump started my efforts.
      HaLLO! i test the script it work fine with me .. someone to now how i can .. decode the nex of the pack.

      15 -> 00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF 00000000 82 5D 1A 0B C9 12 24 11 - 46 3E F8 5D 80 10 65 D0 .]....$.F +>.]..e. 00000010 AC 3D 00 00 01 01 08 0A - 00 5E 08 95 DD 5D 9D F5 .=....... +^...]..
      that is one of the pkg. and it is not encripted ... but i dont now how to decode it ...

      Code tags added by GrandFather

        Check out Net::Packet. It has parsers for certain protocols above layer 3. If not, you may have to write your own parser, or figure out a way to pass the captured data off to a program like Etheral that has more advanced parsing capability for the upper levels of the protocol stack.


      Hi I am designing a sniffer in perl will be possible to put an interface in another language?

        Hi I am designing a sniffer in perl will be possible to put an interface in another language?

        Yes, uh-oh hotdog

Re: simple perl sniffer
by Anonymous Monk on Nov 08, 2011 at 15:23 UTC
    can't work on windows output is there

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://10594]
Approved by root
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (5)
As of 2020-12-04 20:05 GMT
Find Nodes?
    Voting Booth?
    How often do you use taint mode?

    Results (62 votes). Check out past polls.