I recommend checking out Net::Pcap,
Net::PcapUtils, and the NetPacket
CPAN modules. Net::Pcap is an perl interface
straight into libpcap (libpcap is a packet sniffing library
on which most UNIX
sniffers are based; tcpdump is written using
libpcap). Net::PcapUtils is a more perl-like interface
to Net::Pcap that is a bit easier to use than raw
Net::Pcap. The NetPacket module provide
parsing for a few (but the most common) layer 2, 3, and 4 protocols (ICMP,
IP, TCP, UDP, ARP, Ethernet, etc...). With these tools you can
put together custom sniffer utilities very quickly.
Here's a simple example of a script that sniffs an
ethernet line for all TCP/IP packets bound to/from
a particular host and dumps out the source/destination
IP address/port and a hex dump of the packet's contents:
#!/usr/bin/perl -w
use strict;
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use Data::HexDump;
Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip host 192.168.1.252')
+;
my $i=0;
sub process_pkt {
my ($user_data,$hdr,$pkt)=@_;
my $eth=NetPacket::Ethernet->decode($pkt);
if($eth->{type} == 2048){
my $ip=NetPacket::IP->decode($eth->{data});
if($ip->{proto} == 6){
my $tcp=NetPacket::TCP->decode($ip->{data});
print "\n\n$i $ip->{src_ip}($tcp->{src_port}) -> $ip->{dest_ip}(
+$tcp->{dest_port})\n";
print HexDump $ip->{data};
$i++;
}
}
}
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|