I recommend checking out Net::Pcap,
Net::PcapUtils, and the NetPacket
CPAN modules. Net::Pcap is an perl interface
straight into libpcap (libpcap is a packet sniffing library
on which most UNIX
sniffers are based; tcpdump is written using
libpcap). Net::PcapUtils is a more perl-like interface
to Net::Pcap that is a bit easier to use than raw
Net::Pcap. The NetPacket module provide
parsing for a few (but the most common) layer 2, 3, and 4 protocols (ICMP,
IP, TCP, UDP, ARP, Ethernet, etc...). With these tools you can
put together custom sniffer utilities very quickly.
Here's a simple example of a script that sniffs an
ethernet line for all TCP/IP packets bound to/from
a particular host and dumps out the source/destination
IP address/port and a hex dump of the packet's contents:
#!/usr/bin/perl -w
use strict;
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use Data::HexDump;
Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip host 192.168.1.252')
+;
my $i=0;
sub process_pkt {
my ($user_data,$hdr,$pkt)=@_;
my $eth=NetPacket::Ethernet->decode($pkt);
if($eth->{type} == 2048){
my $ip=NetPacket::IP->decode($eth->{data});
if($ip->{proto} == 6){
my $tcp=NetPacket::TCP->decode($ip->{data});
print "\n\n$i $ip->{src_ip}($tcp->{src_port}) -> $ip->{dest_ip}(
+$tcp->{dest_port})\n";
print HexDump $ip->{data};
$i++;
}
}
}
| [reply] [d/l] |
Thank you for your suggestion. Unfortunately I think I can't use the modules you mentioned under NT: there's no libpcap under NT. Once again I think that I have to install also Linux on my laptop. As soon as I have Linux up and running I will surely try these modules and build my own simple sniffer in perl :)
thank you
marcos
| [reply] |
Just a quick post for prosperity - The Pcap library can be obtained in source and binary forms from http://winpcap.polito.it/ and are quite mature in nature.
| [reply] |
I have worked with some Packet Capturing libraries for NT, but none of
which have a Perl interface. If you want to write a sniffer like tool for
NT I'm afraid you're stuck using C, C++ or something similar.
| [reply] |
Thanks a bunch for the pointers and sample code. I just happened to have the same question (sniffing in perl), and your post has jump started my efforts.
| [reply] |
HaLLO! i test the script it work fine with me ..
someone to now how i can .. decode the nex of the pack.
15 10.8.4.19(33373) -> 10.10.0.28(6667)
00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF
00000000 82 5D 1A 0B C9 12 24 11 - 46 3E F8 5D 80 10 65 D0 .]....$.F
+>.]..e.
00000010 AC 3D 00 00 01 01 08 0A - 00 5E 08 95 DD 5D 9D F5 .=.......
+^...]..
that is one of the pkg. and it is not encripted ... but i dont now how to decode it ...
Thenks
Code tags added by GrandFather | [reply] [d/l] |
Check out Net::Packet. It has parsers for certain protocols above layer 3. If not, you may have to write your own parser, or figure out a way to pass the captured data off to a program like Etheral that has more advanced parsing capability for the upper levels of the protocol stack.
L
| [reply] |
Hi I am designing a sniffer in perl will be possible to put an interface in another language?
| [reply] |
can't work on windows ....no output is there | [reply] |