Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: Filtering packets on Windows

by NetWallah (Canon)
on Oct 10, 2008 at 04:38 UTC ( [id://716361]=note: print w/replies, xml ) Need Help??


in reply to Filtering packets on Windows

Here is the beginning of some code I wrote 5 years ago.. /msg me if you need more.

The header will give you an idea about what you need to install, to get started. 

#!/usr/bin/perl -w
#
# Network Traffic Analyzer
# -------------------------
# May 2003, by Netwallah 
#
# This program analyzes network traffic, and reports on packets captur
+ed.
# It uses the "pcap" interface (winpcap for Win32 : http://winpcap.pol
+ito.it).
# It uses Net::pcap. Win32 version of this is at http://www.bribes.org
+/perl/wnetpcap.html
# To use this, you may also need to do the following commands:
#   ppm install Data-HexDump
#   ppm install NetPacket
#   ppm install http://www.bribes.org/perl/ppm/Net-Pcap.ppd
#   ppm install http://www.bribes.org/perl/ppm/Net-PcapUtils.ppd
######################################################################
+###

use strict;
use English;
use Net::Pcap;
use NetPacket::Ethernet qw(:types);
use NetPacket::IP qw(:protos);
use NetPacket::ARP qw(:opcodes);
use NetPacket::TCP;
use NetPacket::UDP;
use NetPacket::ICMP qw(:types);
use Data::HexDump;

my( $pcap_desc, $err, $result);
my $verbose = 1;

my %pcap_parameters = (
        SNAPLEN => 124,         # Num bytes to capture from packet
    PROMISCUOUS_MODE => 1,  # Operate in promiscuous mode?
        TIMEOUT => 1000,        # Read timeout (ms)
        NUMPACKETS => 500,       # Pkts to read (-1 = loop forever)
        #FILTER => 'ip proto \icmp',           # Filter string
        FILTER => 'arp or udp dst port 161',           # Filter string
    USERDATA => '',         # Passed as first arg to callback fn
    SAVEFILE => '',         # Default save file

        # Items below are RETURNED values from PCap calls.
        # Do not attempt to change them in the declaration.
        FILTER_HANDLE => 0,     # Reference to compiled filter
        NETWORK_INTERFACE => 'intel',# Network interface to open
        NETWORK_ADDR =>0,       # Network Address (32 bit number)
        NETWORK_MASK =>0,       # Mask (32-bit number)
    mode => '',             # Internal variable
        );

# Partial list from http://www.iana.org/assignments/ethernet-numbers
my %Ethernet_Type_Name = (
           (ETH_TYPE_IP)        =>{NAME=>'IP', DECODER => \&Decode_IP}
+,
           (ETH_TYPE_ARP)       =>{NAME=>'ARP', DECODER => \&Decode_AR
+P},
           (ETH_TYPE_APPLETALK) =>{NAME=>'APPLETALK', DECODER => 0},
            0x8035     =>{NAME=>'RARP', DECODER => \&Decode_ARP}, # (E
+TH_TYPE_RARP is NOT exported!!!)
           (ETH_TYPE_SNMP)      =>{NAME=>'SNMP', DECODER => 0},
           (ETH_TYPE_IPv6)      =>{NAME=>'IPv6', DECODER => 0},
           (ETH_TYPE_PPP)       =>{NAME=>'PPP' ,DECODER => 0}
           );
# Partial list From http://www.iana.org/assignments/protocol-numbers
my %IP_Type_Name = (
    (IP_PROTO_IP)     =>{NAME=>'IP', DECODER=>0},
    (IP_PROTO_ICMP)   =>{NAME=>'ICMP', DECODER=>\&Decode_IP_ICMP},
..snip..

[download]

     Have you been high today? I see the nuns are gay! My brother yelled to me...I love you inside Ed - Benny Lava, by Buffalax

Replies are listed 'Best First'.
Re^2: Filtering packets on Windows
by Anonymous Monk on Oct 17, 2008 at 18:51 UTC
    Sorry for the duplicate post, I wanted to move this to the bottom...



    Hello again,

    Thanks to everyone for all the advice. I GREATLY appreciate it. (REALLY!!)

    Ok, so lets start from the top:

    Yeah, sorry, IP packets, not Sugar or Creamer packets - but I heard coffee filters might work for this. BTW: I like my packets shaken and not stirred.

    I know about Net::Pcap, but I read somewhere that you can only view packets and not change them (like an IDS). I'm looking for more of the IPS or firewall approach (yes, pileofrogs, you are correct).

    I know about Squid (and actually prefer it as a proxy server solution). I want the ability to look at a packet, then if it's heading for www.badsite.com, change it to go to www.errorpage.com. I know Squid would work great for this, but I don't want a user to be able to change their proxy settings to bypass it. If I could put Squid inline, I could eliminate this, but then they could just bypass that server physically.

    I have never looked at Squid on Windows (except through Cygwin). If it does run on Windows, I'm curious how they filter packets. I know Checkpoint does it as well. My guess is that they cut into Windows using some variant of C.

    Thank you for the code, NetWallah, it's a good start. I just wish Net::Pcap would let you filter as well as view (on Windows). This would be so much easier if the world were "hooked" on Unix.

    Thanks again to everyone - I hope that answers some questions and gets one step closer.


    -Sean
    AKA: Morpheous1129
[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://716361]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others about the Monastery: (2)
As of 2024-04-25 20:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found