Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Please be gentle, this is the first time I have posted a question.

I have done several searches, but cannot seem to get any of the examples to work...I am OK with extracting the payload from each packet in the pcap...What I am falling short on is the Xor operation. Ideally, I would like to decode each payload and put it back into the packet so that I can open the file back up in wireshark and analyze the decoded packets:

Any help would be greatly appreciated! As a side note, I have considered writing a wireshark protocol dissector, but unfortunately, I cannot compile on this computer, nor can I do it at home and bring the compiled dissector in...

I have a payload which contains the following:
03 76 2c ef a7 ff e5
The second two bytes are used as a key to decode the rest of the payload such that they are Xor'd against the remaining data like the example below:

03 76 2c ef a7 ff e5
              76 2c76 2c
             99 8b 89 c9

I have tried different approaches to this, here is my current code and a big empty where I am stuck:

#!C:/Perl/bin/Perl.exe -w use strict; use warnings; use Carp qw (cluck confess croak); use Net::Pcap; use NetPacket; use NetPacket::Ethernet qw(:strip); use NetPacket::IP; use NetPacket::UDP; use NetPacket::TCP; use List::Util qw( sum ); my $err; my $pcap = Net::Pcap::pcap_open_offline('FILE LOCATION', \$err) or con +fess; Net::Pcap::pcap_loop($pcap,-1,\&process_packet,undef); sub process_packet { my ($user_data, $header, $packet) = @_; my $rec = parse_packet($packet); } sub parse_packet { my $packet = shift; my $ip_obj=NetPacket::IP->decode(eth_strip($packet)); my $udp_obj=NetPacket::UDP->decode($ip_obj->{data}); my $hexString=unpack("H$udp_obj->{len}",$udp_obj->{data}); if(substr($hexString,0,2) eq '03' && $udp_obj->{len} > 3) { # print "UDP OBJ LEN: $udp_obj->{len} : ".substr($hexString,0,$ +udp_obj->{len})."\n"; my $xorKey=substr($hexString,2,4); my $encryptedData=substr($hexString,6,$udp_obj->{len}); my $decryptedData=sum(map(hex,unpack '(a4)*',$encryptedData)) +& map(hex,unpack '(a4)*',$xorKey); print $decryptedData."\n"; # my @inBytes=unpack("(A2)*",$hexString); # my $xorKey="$inBytes[1]$inBytes[2]"; # print $xorKey ^ (sum(map (hex,unpack '(a4)*',substr($hexStrin +g,2,$udp_obj->{len})))); } }

In reply to Xor decode from pcap file by mabossert

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others scrutinizing the Monastery: (5)
    As of 2017-12-17 20:54 GMT
    Find Nodes?
      Voting Booth?
      What programming language do you hate the most?

      Results (466 votes). Check out past polls.