Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Net::Pcap garbage Output

by WalkingZero (Sexton)
on May 26, 2008 at 01:53 UTC ( [id://688463]=perlquestion: print w/replies, xml ) Need Help??

WalkingZero has asked for the wisdom of the Perl Monks concerning the following question:

I am having some trouble with Net::Pcap. It is giving me strange output that seems to be encoded in some way that is not explained.

If i use Net::Pcap to capture arp packets and then pull out the sender hardware address I get results such as 383163666630 , 383163666638 , 383163666635 , or 415348283078. If I try to pull the sender IP addresses I get things such as 38316366, 3029 , 6329 , or 3829.

The same type of event occurs If I simply try to use Net::Pcap::lookupnet. It tells me that my IP address is 3232236032, when my IP is 192.168.2.3 and it tells me my netmask is 4294967040 when it is 255.255.255.0. Can anyone please explain what's going on, and how to convert this garbage into useful information? cheers!

Update:As requested I have included some example code:
#!/usr/bin/perl -w use Net::Pcap; my $dev="eth1"; my $address; my $netmask; my $err; if (Net::Pcap::lookupnet($dev, \$address, \$netmask, \$err)) { die 'Unable to look up device information for ', $dev, ' - ', $err +; } print "\n The Ip is $address and the mask is $netmask \n";
#!/usr/bin/perl -w use Net::ARP; use Net::Pcap; use NetPacket::Ethernet; use NetPacket::ARP; my $dev="eth1"; my $err; my $capobj=Net::Pcap::open_live($dev,1500,0,0,\$err); unless (defined $capobj){die 'Unable to create packet capture on devic +e ', $dev, ' - ', $err;} my $filter; Net::Pcap::compile($capobj, \$filter,'arp',0,'4294967040') && die 'Una +ble to compile packet capture filter'; Net::Pcap::setfilter($capobj, $filter) && die "Unable to set capture f +ilter!"; Net::ARP::send_packet("eth1","192.168.2.3","192.168.2.101","00:18:de:3 +4:8e:7b","ff:ff:ff:ff:ff:ff","request"); Net::Pcap::loop($capobj, -1 ,\&arp_packets,'') || die "Unable to comp +lete packet capture! \n"; Net::Pcap::close($capobj); sub arp_packets{ my ($user_data, $header, $packet)= @_; my $eth_obj=NetPacket::Ethernet::decode($packet); my $arp_obj=NetPacket::ARP::decode($eth_obj{'data'}, $eth_obj); print "Caught packet with source of $arp_obj->{'sha'} at ip $arp_obj-> +{'spa'} \n"; }

Replies are listed 'Best First'.
Re: Net::Pcap garbage Output
by GrandFather (Saint) on May 26, 2008 at 02:13 UTC

    4294967040 expressed as a hex number is FFFFFF00.

    3232236032 expressed as a hex number is C0A80200 which is 192.168.2.0 expressed in IP format (are you sure that last octet is 3?).

    I suspect your MAC addresses are simply 48 bit binary values, which may cause a little trouble if you are using a 32 bit Perl without native 64 bit integers, but only a little trouble.

    Maybe if you had cared enough about the problem to format your node I'd have been enthusiastic enough about it to help further.


    Perl is environmentally friendly - it saves trees
      Yes I am sure the last octet is a 3 as 192.168.2.0 is not a valid ip address. I explored this possibility, but it doesn't make all the pieces fit however. The IP information is obviously incorrect, and when reading out of the packets the number given is often only 4 digits. I am quite confused. Also, I am curious as to what is wrong with the formatting of my node?

        At the time I replied there was no markup at all so your node was rendered as an unformatted block of text. We strongly recommend that you preview your node and fix anything that doesn't look right before commit.

        We also like significant updates to your node content to be flagged with Updated: markers as appropriate. Changing the node (to which this is a reply) from containing only the first sentence to a node containing five sentences would generally be considered to be a significant update.


        Perl is environmentally friendly - it saves trees
Re: Net::Pcap garbage Output
by almut (Canon) on May 26, 2008 at 02:31 UTC

    You could use the inet_ntoa function from Socket to convert the numbers

    use Socket; my $ip = inet_ntoa(pack "N", 3232236032); # 192.168.2.0
      Alas it does not appear to be that simple. If you convert for example 415348283078 to hex you get 60B4AFD6C6 which is not the MAC address that is genuinely in the sha field of the ARP packet.
        it does not appear to be that simple.

        Right, inet_ntoa does only work with IP addresses / 32-bit numbers...

Re: Net::Pcap garbage Output
by Khen1950fx (Canon) on May 26, 2008 at 21:47 UTC
    I couldn't get Net::Pcap to work for me. Here's a small substitute:

    #!/usr/bin/perl use strict; use warnings; use Linux::net::dev; use Net::ARP; use Net::Address::Ethernet qw(get_address); use Sys::HostIP; my $devs = Linux::net::dev::info(); print "Devices (bytes read):\n"; foreach (keys %$devs) { print " $_ ($devs->{$_}->{rbytes})\n"; } my $dev = "eth0"; my $mac = Net::ARP::get_mac("eth0"); print "$mac\n"; $mac = Net::ARP::arp_lookup($dev, '192.168.1.1'); print "192.168.1.1 has got mac $mac\n"; my $sAddress = get_address; print "$sAddress\n"; my $ip_address = Sys::HostIP->ip; print $ip_address, "\n";

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://688463]
Approved by GrandFather
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (3)
As of 2025-02-09 09:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Which URL do you most often use to access this site?












    Results (95 votes). Check out past polls.