http://www.perlmonks.org?node_id=995527

jwillis has asked for the wisdom of the Perl Monks concerning the following question:

hi everyone i am trying to decode wireshark data into a format to be inserted into a database for analysis. i don't know how to make the garbage in a file mean something useful. I am using a wireshark sample file to try and get the output to be something meaningful. Can someone point me in the right direction?

#!perl use Net::TcpDumpLog; use NetPacket::TCP; use NetPacket::Ethernet; $log = Net::TcpDumpLog->new(); $log->read("test.pcap"); @Indexes = $log->indexes; foreach $index (@Indexes) { ($length_orig,$length_incl,$drops,$secs,$msecs) = $log->header($index) +; $data = $log->data($index); my $tcp_strip = NetPacket::TCP::strip($data); print "$tcp_strip\n"; }

Replies are listed 'Best First'.
Re: decoding libpcap on windows
by VinsWorldcom (Prior) on Sep 25, 2012 at 12:18 UTC

    Without and example of the " format to be inserted into a database for analysis", I don't know what you're trying to output.

    The NetPacket::* modules seem old by copyright date. You may want to have a look at the Net::Frame modules. They provide packet encode/decode at various OSI layers and specifically, you'll want to look at Net::Frame::Dump and it's sub-modules. The example provided with the distribution (dump-offline.pl) may be what you're looking for:

    VinsWorldcom@C:\Users\VinsWorldcom\tmp> dump-offline.pl test.pcap o Frame number: 0 (length: 42) ETH: dst:ff:ff:ff:ff:ff:ff src:cc:18:ff:77:88:99 type:0x0806 ARP: hType:0x0001 pType:0x0800 hSize:0x06 pSize:0x04 opCode:0x0001 ARP: src:c4:17:fe:12:7d:75 srcIp:192.168.10.100 ARP: dst:00:00:00:00:00:00 dstIp:192.168.10.20 o Frame number: 1 (length: 59) ETH: dst:68:69:70:71:77:90 src:cc:18:ff:77:88:99 type:0x0800 IPv4: version:4 hlen:5 tos:0x00 length:45 id:8608 IPv4: flags:0x02 offset:0 ttl:128 protocol:0x06 checksum:0x9072 IPv4: src:192.168.10.100 dst:64.5.62.248 TCP: src:54237 dst:1863 seq:0x322c9b85 ack:0x119cfd35 TCP: off:0x05 x2:0x0 flags:0x18 win:16677 checksum:0xcce5 urp:0x0 +0 TCP: payload:504d570d0a ...
      I am going to look into the Net::Frame::Dump you mentioned.

      What I'd really like to do is run a wireshark trace on a web server to capture all HTTP traffic using the ring buffer method for say a 1gig of data.

      Then I'd like to have that data inserted into a database for inspection and reporting.

      Does that make sense so for example field Data would have the POST, GET methods plus the data that you see on the wire.

        Definitely look at Net::Frame then. You can pull apart the packets by field so for instance, source and/or destination IP address and layer 4 port. You can also pull out the data - although you may have to unpack() or decode it as it will likely be in hex.

        I found the documentation of Net::Frame and submodules very helpful on this front.

      ok. im still getting use to this board. do you use the net-frame module on windows? if so where did you read the directions to build the module? when i look at the support table at the activestate ppm it says windows is not supported.

        I use Windows pretty much exclusively. I'm on Windows 7 x64 with Strawberry Perl 5.16.1.

        You're describing the very reason I moved away from Active State - the sometimes shoddy support for modules in their PPM process. Active State *may* now have a CPAN client and that's how I recommend installing Net::Frame.

        On Windows, with Strawberry, I just used:

        cpan Net::Frame cpan Net::Frame::Dump

        You'll also probably want many supporting modules to get some really good decodes:

        cpan Net::Frame::Simple cpan Net::Frame::Layer::ICMPv4 cpan Net::Frame::Layer::IPv6 cpan Net::Frame::Layer::ICMPv6 cpan Net::Frame::Layer::LLC cpan Net::Frame::Layer::STP cpan Net::Frame::Layer::8021Q

        I don't believe any of these need a C compiler; however, you will need Net::Pcap installed and that does require a C compiler and some bug fixes to get installed on Windows. If you don't already have Net::Pcap installed, have a look at Re: On Yaks and the Shaving Thereof - finding exported symbols of a C library.

      i am going to look into this direction. thank you very much.