Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

Re: decoding libpcap on windows

by VinsWorldcom (Parson)
on Sep 25, 2012 at 12:18 UTC ( #995535=note: print w/replies, xml ) Need Help??

in reply to decoding libpcap on windows

Without and example of the " format to be inserted into a database for analysis", I don't know what you're trying to output.

The NetPacket::* modules seem old by copyright date. You may want to have a look at the Net::Frame modules. They provide packet encode/decode at various OSI layers and specifically, you'll want to look at Net::Frame::Dump and it's sub-modules. The example provided with the distribution ( may be what you're looking for:

VinsWorldcom@C:\Users\VinsWorldcom\tmp> test.pcap o Frame number: 0 (length: 42) ETH: dst:ff:ff:ff:ff:ff:ff src:cc:18:ff:77:88:99 type:0x0806 ARP: hType:0x0001 pType:0x0800 hSize:0x06 pSize:0x04 opCode:0x0001 ARP: src:c4:17:fe:12:7d:75 srcIp: ARP: dst:00:00:00:00:00:00 dstIp: o Frame number: 1 (length: 59) ETH: dst:68:69:70:71:77:90 src:cc:18:ff:77:88:99 type:0x0800 IPv4: version:4 hlen:5 tos:0x00 length:45 id:8608 IPv4: flags:0x02 offset:0 ttl:128 protocol:0x06 checksum:0x9072 IPv4: src: dst: TCP: src:54237 dst:1863 seq:0x322c9b85 ack:0x119cfd35 TCP: off:0x05 x2:0x0 flags:0x18 win:16677 checksum:0xcce5 urp:0x0 +0 TCP: payload:504d570d0a ...

Replies are listed 'Best First'.
Re^2: decoding libpcap on windows
by jwillis (Initiate) on Sep 25, 2012 at 13:25 UTC
    I am going to look into the Net::Frame::Dump you mentioned.

    What I'd really like to do is run a wireshark trace on a web server to capture all HTTP traffic using the ring buffer method for say a 1gig of data.

    Then I'd like to have that data inserted into a database for inspection and reporting.

    Does that make sense so for example field Data would have the POST, GET methods plus the data that you see on the wire.

      Definitely look at Net::Frame then. You can pull apart the packets by field so for instance, source and/or destination IP address and layer 4 port. You can also pull out the data - although you may have to unpack() or decode it as it will likely be in hex.

      I found the documentation of Net::Frame and submodules very helpful on this front.

        did you use the net dump on windows? i am using activestate ppm and I did not see the net-frame available for windows. when i check the support table on the web site it says its only available on linux? Are there any tricks I can do to make it work on windows?
        does the net-frame work on windows? the table for the PPM says its not available as a build for a windows. are you using the module on windows and if so what instructions did you use to do the build?
Re^2: decoding libpcap on windows
by jwillis (Initiate) on Sep 27, 2012 at 10:45 UTC
    ok. im still getting use to this board. do you use the net-frame module on windows? if so where did you read the directions to build the module? when i look at the support table at the activestate ppm it says windows is not supported.

      I use Windows pretty much exclusively. I'm on Windows 7 x64 with Strawberry Perl 5.16.1.

      You're describing the very reason I moved away from Active State - the sometimes shoddy support for modules in their PPM process. Active State *may* now have a CPAN client and that's how I recommend installing Net::Frame.

      On Windows, with Strawberry, I just used:

      cpan Net::Frame cpan Net::Frame::Dump

      You'll also probably want many supporting modules to get some really good decodes:

      cpan Net::Frame::Simple cpan Net::Frame::Layer::ICMPv4 cpan Net::Frame::Layer::IPv6 cpan Net::Frame::Layer::ICMPv6 cpan Net::Frame::Layer::LLC cpan Net::Frame::Layer::STP cpan Net::Frame::Layer::8021Q

      I don't believe any of these need a C compiler; however, you will need Net::Pcap installed and that does require a C compiler and some bug fixes to get installed on Windows. If you don't already have Net::Pcap installed, have a look at Re: On Yaks and the Shaving Thereof - finding exported symbols of a C library.

Re^2: decoding libpcap on windows
by jwillis (Initiate) on Sep 27, 2012 at 13:34 UTC
    i am going to look into this direction. thank you very much.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://995535]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (4)
As of 2018-02-22 11:49 GMT
Find Nodes?
    Voting Booth?
    When it is dark outside I am happiest to see ...

    Results (291 votes). Check out past polls.