Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister

perl IP packet sniffer

by gri6507 (Deacon)
on Apr 07, 2006 at 15:54 UTC ( #541890=perlquestion: print w/replies, xml ) Need Help??
gri6507 has asked for the wisdom of the Perl Monks concerning the following question:

Fellow monks,

I am currently in a secure and dependable communications class. As part of the class project, I need to create an IP packet capture tool (effectively a network sniffer). Looking through CPAN, I saw two modules that seemed to be possibly related: Net::Pcap and Net::Traces::TSH. Does anyone have any experience with these modules? Any recommendations?

Thanks in advance.

Replies are listed 'Best First'.
Re: perl IP packet sniffer
by Corion (Pope) on Apr 07, 2006 at 16:46 UTC

    I've had great success using Net::Pcap, on both, Windows (myself) and Linux (reported by others). It has the great advantage of being able to use/read ethereal capture files, so you are not restricted to live captures only and don't need to cook up your own capture format. You can capture conveniently with ethereal and then analyze with Perl. I wrote Sniffer::HTTP using Net::Pcap.

Re: perl IP packet sniffer
by brian_d_foy (Abbot) on Apr 07, 2006 at 17:28 UTC
      Wow. That's exactly what I was looking to do :-) Thanks a CPAN bundle!
Re: perl IP packet sniffer
by eXile (Priest) on Apr 08, 2006 at 00:14 UTC
Re: perl IP packet sniffer
by diotalevi (Canon) on Apr 07, 2006 at 16:07 UTC

    See HTTP::Sniffer and what it uses.

    ⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊

Re: perl IP packet sniffer
by sipphreak (Initiate) on Apr 08, 2006 at 13:36 UTC
    I'm just getting back in to perl and wrote a little script with Net::RawIP. I have not compared RawIP to the other modules mentioned, but after I got through what for me was some confusing documentaion and undocumented examples, I was fine and it worked well. I needed the ability to both send and receive IP packets, thus Net::Pcap was not an option.

    If your class is about security of communications then I'd strongly suggest that you use RawIP. Much more can be done to manipulate communications and break security if one can introduce as well as observe traffic in Man-in-the-Middle scenarios. Even if that is not what your current assignment would require, you'd already have the experience working with RawIP for when you do need to inject or intercept and rewrite packets. It is probably obvious from my nym that I am working on doing that for SIP and the VoIP systems dependent on it.

    If one is trying to use Net::RawIP, the example that is best to follow is the traceroute. I'm not even sure some of the others will work with recent versions of perl. I have a version of traceroute where I made detailed comments on what was supposed to be happening for my own understanding, please ask if you'd like a copy before I get it cleaned up enough to submit to the RawIP author.

    Net::RawIP is not supported by Activestate on Windows and will require a C compiler to build. If anyone has built it and can share the binaries, please let me know. I will get to it someday, but if someone can beat me to it, it's one less thing to do.

    HTH, Sip Phreak

Re: perl IP packet sniffer
by marto (Bishop) on Apr 07, 2006 at 15:59 UTC

    I would recommend using the Super Search tool and searching for the two modules you are looking at.

    Hope this helps.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://541890]
Approved by marto
Front-paged by Anneq
Discipulus IE just maps to id est in my mind .. ;=)
[Corion]: marto: I believe nowadays, at least window.opener should not be set anymore (except maybe within the same domain)
[Corion]: But I wouldn't really know as I don't use iexplore much (except at $work) and mostly surf with JS disabled (except at $work :) )
[marto]: yeah, this is at work, where some intranet app launches links via When users close the intranet page so that only the new JS opened windows exist, clicking URLs in an email (or whatever) don't open
[Corion]: marto: It somewhat makes sense that the reduced popup window doesn't get new URLs, but it makes less sense that no new browser window opens :)

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (7)
As of 2018-03-21 11:47 GMT
Find Nodes?
    Voting Booth?
    When I think of a mole I think of:

    Results (267 votes). Check out past polls.