http://www.perlmonks.org?node_id=716317

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello Gents,

I'm sorry if this is the wrong place to ask this question, but is there a good way to filter packets on a Windows machine using Perl? I want to choose whether packets should be filtered based on information from the header. Everywhere I've looked leads me to C or C++, etc, but I don't know C as much as I know Perl.

Thanks a million.
-Sean

Replies are listed 'Best First'.
Re: Filtering packets on Windows
by Illuminatus (Curate) on Oct 09, 2008 at 21:57 UTC
[reply]
Re: Filtering packets on Windows
by NetWallah (Canon) on Oct 10, 2008 at 04:38 UTC
    Here is the beginning of some code I wrote 5 years ago.. /msg me if you need more.

    The header will give you an idea about what you need to install, to get started. 

    #!/usr/bin/perl -w
#
# Network Traffic Analyzer
# -------------------------
# May 2003, by Netwallah 
#
# This program analyzes network traffic, and reports on packets captur
+ed.
# It uses the "pcap" interface (winpcap for Win32 : http://winpcap.pol
+ito.it).
# It uses Net::pcap. Win32 version of this is at http://www.bribes.org
+/perl/wnetpcap.html
# To use this, you may also need to do the following commands:
#   ppm install Data-HexDump
#   ppm install NetPacket
#   ppm install http://www.bribes.org/perl/ppm/Net-Pcap.ppd
#   ppm install http://www.bribes.org/perl/ppm/Net-PcapUtils.ppd
######################################################################
+###

use strict;
use English;
use Net::Pcap;
use NetPacket::Ethernet qw(:types);
use NetPacket::IP qw(:protos);
use NetPacket::ARP qw(:opcodes);
use NetPacket::TCP;
use NetPacket::UDP;
use NetPacket::ICMP qw(:types);
use Data::HexDump;

my( $pcap_desc, $err, $result);
my $verbose = 1;

my %pcap_parameters = (
        SNAPLEN => 124,         # Num bytes to capture from packet
    PROMISCUOUS_MODE => 1,  # Operate in promiscuous mode?
        TIMEOUT => 1000,        # Read timeout (ms)
        NUMPACKETS => 500,       # Pkts to read (-1 = loop forever)
        #FILTER => 'ip proto \icmp',           # Filter string
        FILTER => 'arp or udp dst port 161',           # Filter string
    USERDATA => '',         # Passed as first arg to callback fn
    SAVEFILE => '',         # Default save file

        # Items below are RETURNED values from PCap calls.
        # Do not attempt to change them in the declaration.
        FILTER_HANDLE => 0,     # Reference to compiled filter
        NETWORK_INTERFACE => 'intel',# Network interface to open
        NETWORK_ADDR =>0,       # Network Address (32 bit number)
        NETWORK_MASK =>0,       # Mask (32-bit number)
    mode => '',             # Internal variable
        );

# Partial list from http://www.iana.org/assignments/ethernet-numbers
my %Ethernet_Type_Name = (
           (ETH_TYPE_IP)        =>{NAME=>'IP', DECODER => \&Decode_IP}
+,
           (ETH_TYPE_ARP)       =>{NAME=>'ARP', DECODER => \&Decode_AR
+P},
           (ETH_TYPE_APPLETALK) =>{NAME=>'APPLETALK', DECODER => 0},
            0x8035     =>{NAME=>'RARP', DECODER => \&Decode_ARP}, # (E
+TH_TYPE_RARP is NOT exported!!!)
           (ETH_TYPE_SNMP)      =>{NAME=>'SNMP', DECODER => 0},
           (ETH_TYPE_IPv6)      =>{NAME=>'IPv6', DECODER => 0},
           (ETH_TYPE_PPP)       =>{NAME=>'PPP' ,DECODER => 0}
           );
# Partial list From http://www.iana.org/assignments/protocol-numbers
my %IP_Type_Name = (
    (IP_PROTO_IP)     =>{NAME=>'IP', DECODER=>0},
    (IP_PROTO_ICMP)   =>{NAME=>'ICMP', DECODER=>\&Decode_IP_ICMP},
..snip..

    [download]

         Have you been high today? I see the nuns are gay! My brother yelled to me...I love you inside Ed - Benny Lava, by Buffalax

[reply]
[d/l]
      Sorry for the duplicate post, I wanted to move this to the bottom...



      Hello again,

      Thanks to everyone for all the advice. I GREATLY appreciate it. (REALLY!!)

      Ok, so lets start from the top:

      Yeah, sorry, IP packets, not Sugar or Creamer packets - but I heard coffee filters might work for this. BTW: I like my packets shaken and not stirred.

      I know about Net::Pcap, but I read somewhere that you can only view packets and not change them (like an IDS). I'm looking for more of the IPS or firewall approach (yes, pileofrogs, you are correct).

      I know about Squid (and actually prefer it as a proxy server solution). I want the ability to look at a packet, then if it's heading for www.badsite.com, change it to go to www.errorpage.com. I know Squid would work great for this, but I don't want a user to be able to change their proxy settings to bypass it. If I could put Squid inline, I could eliminate this, but then they could just bypass that server physically.

      I have never looked at Squid on Windows (except through Cygwin). If it does run on Windows, I'm curious how they filter packets. I know Checkpoint does it as well. My guess is that they cut into Windows using some variant of C.

      Thank you for the code, NetWallah, it's a good start. I just wish Net::Pcap would let you filter as well as view (on Windows). This would be so much easier if the world were "hooked" on Unix.

      Thanks again to everyone - I hope that answers some questions and gets one step closer.


      -Sean
      AKA: Morpheous1129
[reply]
    A reply falls below the community's threshold of quality. You may see it by logging in.
Re: Filtering packets on Windows
by pileofrogs (Priest) on Oct 09, 2008 at 22:30 UTC

    When you say "filter" do you mean you want to stop them getting to applications, like a firewall, or do you mean you want to take a bunch of packets and identify certain ones?

    If it's the first case, I have no idea how it works on Windows. If it's the 2nd case, Net::Pcap and NetPacket::??? are things I've used before. Make sure you know how your packets are supposed to look though, IE, read some RFCs.

[reply]
Re: Filtering packets on Windows
by aquarium (Curate) on Oct 10, 2008 at 00:12 UTC
    if you just want to filter web traffic or other that is proxyable, and putting a proxy inline is not too much hassle..install/setup squid, which can easily plug-in perl to inspect/modify headers etc.
    the hardest line to type correctly is: stty erase ^H
[reply]
Re: Filtering packets on Windows
by Anonymous Monk on Oct 09, 2008 at 21:43 UTC
    Packets? Sugar or creamer?
[reply]
      Hello again,

      Thanks to everyone for all the advice. I GREATLY appreciate it. (REALLY!!)

      Ok, so lets start from the top:

      Yeah, sorry, IP packets, not Sugar or Creamer packets - but I heard coffee filters might work for this. BTW: I like my packets shaken and not stirred.

      I know about Net::Pcap, but I read somewhere that you can only view packets and not change them (like an IDS). I'm looking for more of the IPS or firewall approach (yes, pileofrogs, you are correct).

      I know about Squid (and actually prefer it as a proxy server solution). I want the ability to look at a packet, then if it's heading for www.badsite.com, change it to go to www.errorpage.com. I know Squid would work great for this, but I don't want a user to be able to change their proxy settings to bypass it. If I could put Squid inline, I could eliminate this, but then they could just bypass that server physically.

      I have never looked at Squid on Windows (except through Cygwin). If it does run on Windows, I'm curious how they filter packets. I know Checkpoint does it as well. My guess is that they cut into Windows using some variant of C.

      Thank you for the code, NetWallah, it's a good start. I just wish Net::Pcap would let you filter as well as view (on Windows). This would be so much easier if the world were "hooked" on Unix.

      Thanks again to everyone - I hope that answers some questions and gets one step closer.


      -Sean
      AKA: Morpheous1129
[reply]

Back to Seekers of Perl Wisdom