This works, assuming you redirect your tcpdump output to a file. Run with your output file as STDIN to this snippet. You could probably use
IO::File here as well:
use strict;
open (DUMP, "|cat -v");
select(DUMP);
$| = 1;
while (<>) {
if (/^\s/) {
chop;
s/\s//g;
while ($_) {
my $hex;
($hex, $_) = /^(..)(.*)$/;
my $byte = hex($hex);
print pack("c", $byte);
}
} else {
print "\n", "-"x74, "\n\n";
}
}
close(DUMP);
Here's another, which runs tcpdump directly:
use strict;
my ($pkt, $client, $host);
my $lim = shift || 999999999;
my $tcpd = "/usr/sbin/tcpdump";
my $tcpargs = "-lnx -s 1024 dst host 68.14.142.134|";
$|=1;
open (STDIN, "$tcpd $tcpargs");
while (<>) {
if (/^\S/) {
last unless $lim--;
while ($pkt=~/(.+).+/g) {
print "$client -> $host\t$&\n";
}
($client, $host, $pkt) = ();
# All on one line please
($client, $host) = /(\d+\.\d+\.\d+\.\d+).+
> (\d+\.\d+\.\d+\.\d+)/
if /P \d+:\d+\((\d+)\)/ && $1 > 0;
}
next unless $client && $host;
s/\s+//;
s/([0-9a-f]{2})\s?/chr(hex($1))/eg;
tr/\x1F-\x7E\r\n//cd;
$pkt .= $_;
}
Here's one using Net::Pcap and Net::RawIP. I leave the decoding of the packet stream up to you..
use strict;
use Net::Pcap;
use Net::RawIP;
my $errstr;
my $count = 0;
my $dev = Net::Pcap::lookupdev(\$errstr);
my $pcap = Net::Pcap::open_live($dev, 1024, 1, 0, \$errstr);
Net::Pcap::loop($pcap, -1, \&check_tcp, "abc");
Net::Pcap::close($pcap);
sub check_tcp {
my ($user, $hdr, $pkt) = @_;
# Add your error checking here
print "Saw snap of len
hdr->{len} $hdr->{caplen} \n";
$count++;
}
