#!/usr/bin/perl -w
#
# Network Traffic Analyzer
# -------------------------
# May 2003, by Netwallah 
#
# This program analyzes network traffic, and reports on packets captured.
# It uses the "pcap" interface (winpcap for Win32 : http://winpcap.polito.it).
# It uses Net::pcap. Win32 version of this is at http://www.bribes.org/perl/wnetpcap.html
# To use this, you may also need to do the following commands:
#   ppm install Data-HexDump
#   ppm install NetPacket
#   ppm install http://www.bribes.org/perl/ppm/Net-Pcap.ppd
#   ppm install http://www.bribes.org/perl/ppm/Net-PcapUtils.ppd
#########################################################################

use strict;
use English;
use Net::Pcap;
use NetPacket::Ethernet qw(:types);
use NetPacket::IP qw(:protos);
use NetPacket::ARP qw(:opcodes);
use NetPacket::TCP;
use NetPacket::UDP;
use NetPacket::ICMP qw(:types);
use Data::HexDump;

my( $pcap_desc, $err, $result);
my $verbose = 1;

my %pcap_parameters = (
        SNAPLEN => 124,         # Num bytes to capture from packet
	PROMISCUOUS_MODE => 1,  # Operate in promiscuous mode?
        TIMEOUT => 1000,        # Read timeout (ms)
        NUMPACKETS => 500,       # Pkts to read (-1 = loop forever)
        #FILTER => 'ip proto \icmp',           # Filter string
        FILTER => 'arp or udp dst port 161',           # Filter string
	USERDATA => '',         # Passed as first arg to callback fn
	SAVEFILE => '',         # Default save file

        # Items below are RETURNED values from PCap calls.
        # Do not attempt to change them in the declaration.
        FILTER_HANDLE => 0,     # Reference to compiled filter
        NETWORK_INTERFACE => 'intel',# Network interface to open
        NETWORK_ADDR =>0,       # Network Address (32 bit number)
        NETWORK_MASK =>0,       # Mask (32-bit number)
	mode => '',             # Internal variable
        );

# Partial list from http://www.iana.org/assignments/ethernet-numbers
my %Ethernet_Type_Name = (
           (ETH_TYPE_IP)        =>{NAME=>'IP', DECODER => \&Decode_IP},
           (ETH_TYPE_ARP)       =>{NAME=>'ARP', DECODER => \&Decode_ARP},
           (ETH_TYPE_APPLETALK) =>{NAME=>'APPLETALK', DECODER => 0},
            0x8035     =>{NAME=>'RARP', DECODER => \&Decode_ARP}, # (ETH_TYPE_RARP is NOT exported!!!)
           (ETH_TYPE_SNMP)      =>{NAME=>'SNMP', DECODER => 0},
           (ETH_TYPE_IPv6)      =>{NAME=>'IPv6', DECODER => 0},
           (ETH_TYPE_PPP)       =>{NAME=>'PPP' ,DECODER => 0}
           );
# Partial list From http://www.iana.org/assignments/protocol-numbers
my %IP_Type_Name = (
    (IP_PROTO_IP)     =>{NAME=>'IP', DECODER=>0},
    (IP_PROTO_ICMP)   =>{NAME=>'ICMP', DECODER=>\&Decode_IP_ICMP},
..snip..