use strict; use English; use Net::Pcap; use NetPacket::Ethernet qw(:types); ... use Data::HexDump; my %pcap_parameters = ( SNAPLEN => 124, # Num bytes to capture from packet PROMISCUOUS_MODE => 1, # Operate in promiscuous mode? TIMEOUT => 1000, # Read timeout (ms) NUMPACKETS => 500, # Pkts to read (-1 = loop forever) #FILTER => 'ip proto \icmp', # Filter string FILTER => 'arp or udp dst port 161', # Filter string USERDATA => '', # Passed as first arg to callback fn SAVEFILE => '', # Default save file # Items below are RETURNED values from PCap calls. # Do not attempt to change them in the declaration. FILTER_HANDLE => 0, # Reference to compiled filter NETWORK_INTERFACE => 'intel',# Network interface to open NETWORK_ADDR =>0, # Network Address (32 bit number) NETWORK_MASK =>0, # Mask (32-bit number) mode => '', # Internal variable ); # Partial list from http://www.iana.org/assignments/ethernet-numbers my %Ethernet_Type_Name = ( (ETH_TYPE_IP) =>{NAME=>'IP', DECODER => \&Decode_IP}, (ETH_TYPE_ARP) =>{NAME=>'ARP', DECODER => \&Decode_ARP}, (ETH_TYPE_APPLETALK) =>{NAME=>'APPLETALK', DECODER => 0}, ... $pcap_desc = Net::Pcap::open_live($pcap_parameters{NETWORK_INTERFACE}, $pcap_parameters{SNAPLEN}, $pcap_parameters{PROMISCUOUS_MODE}, $pcap_parameters{TIMEOUT}, \$err) or die("Net::Pcap::open_live returned error $err\n"); ... my $count = 0; Net::Pcap::loop($pcap_desc, $pcap_parameters{NUMPACKETS}, \&process_pkt, "abc"); ... sub process_pkt { my($user, $hdr, $pkt) = @_; ..... my ($sec,$min,$hour) =localtime($hdr->{tv_sec}); my $len= $hdr->{len}; my $buf; #print("RcvPkt Totlen(PacketLen) $hdr->{len}($hdr->{caplen})" . # "\t Time.Usec=$hour:$min:$sec.$hdr->{tv_usec}\n"); my $eth_obj = NetPacket::Ethernet->decode($pkt); #print("$eth_obj->{src_mac}:$eth_obj->{dest_mac} " . # "$Ethernet_Type_Name{$eth_obj->{type}} \n"); $buf = sprintf("%02d:%02d:%02d.%03d[%4d] ", $hour,$min,$sec, $hdr->{tv_usec} / 1000,$hdr->{len}); # Call the appropriate decoder, depending on pkt type if (&Dispach_Decoder_If_Any(\%Ethernet_Type_Name, $eth_obj->{type}, $eth_obj,\$buf)){ # Decoder call failed.. $buf .= "Ether " . $eth_obj->{src_mac} . "-> $eth_obj->{dest_mac} " . &get_TypeName(\%Ethernet_Type_Name,$eth_obj->{type}) ; ... }