Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Analyse a tcpdump dump file

by pileofrogs (Priest)
on Feb 17, 2010 at 22:21 UTC ( [id://823825]=perlquestion: print w/replies, xml ) Need Help??

pileofrogs has asked for the wisdom of the Perl Monks concerning the following question:

Greetings, monks of the world

Can anyone recommend a perl module to help me analyze a file created by running tcpdump -w dumpfile? I see several modules in the tcpdump/pcap department, but I don't see any obvious choices that can read the packet dump created by tcpdump -w.

For background, I have an intermittent network problem and I've managed to capture a tcpdump file for part of that time. I want to do things like count the number of TCP, UDP, ICMP etc... packets to see if anything really broad like that changes during the badness. I could run "tcpdump -r dumpfile" and parse the resulting text, but if there is a good module to parse the tcpdump packet file, that would be even better.

Thanks!
--Pileofrogs

Thanks folks! Great answers!

Replies are listed 'Best First'.
Re: Analyse a tcpdump dump file
by NetWallah (Canon) on Feb 18, 2010 at 04:54 UTC
    tcpdump produces native libpcap format files that are readable by Wireshark.

    (The free) Wireshark has powerful filtering and visualization tools to help analyze the packets.

    If you really want to read these in perl, try the "offline Analysis" sample in the Net::Packet::Dump module.

    You will also likely need the Netpacket:: series of modules for TCP/UDP or IP analysis.

         Theory is when you know something, but it doesn't work.
        Practice is when something works, but you don't know why it works.
        Programmers combine Theory and Practice: Nothing works and they don't know why.         -Anonymous

[reply]
Re: Analyse a tcpdump dump file
by zentara (Archbishop) on Feb 18, 2010 at 13:50 UTC
    Try Reconstructing a file from a packet dump and here are a few snippets I collected here, written by others, which may prove useful. Untested. :-)

    UPDATE: I just tested them, and these don't work, so I delete them, and replace them with this: 

    # supppose you have raw dumps , created with something like:
tcpdump -i eth0 -w tcpdump.out # to capture raw 
# then do this:
tcpdump -r ./tcpdump.out > tcpdump.outr

the ouptut will look then like:
....
....
12:17:28.864666 IP oreilly.com.http > zenlap.zentara.net.22322: . ack 
+651 win 111 <nop,nop,timestamp 1111732560 25
12:17:29.062812 IP oreilly.com.http > zenlap.zentara.net.22322: . 1:14
+41(1440) ack 651 win 111 <nop,nop,timestamp 
.....
.....

    [download]
    Is that what you want?
    I'm not really a human, but I play one on earth.
    Old Perl Programmer Haiku
[reply]
[d/l]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://823825]
Approved by gctaylor1
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (5)
As of 2024-04-24 07:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found