Im currently using the fallowing script to capture packets..
#!/usr/usc/perl/5.6.1/bin/perl
use strict;
use warnings;
$|++;
my $dev = shift @ARGV;
$dev ||= 'eth1';
my $filter_string = 'dst port 111';
#my $filter_string = 'udp';
my $snaplen = 65500;
my $promisc = 0;
my $timeout = 0;
my $count = -1;
use Net::Pcap;
my $err = '';
my $cap_dev;
my $filter = '';
my $net = -256;
$cap_dev = Net::Pcap::open_live($dev, $snaplen, $promisc, $timeout, \$
+err);
die "$err\n" if $err;
Net::Pcap::compile($cap_dev, \$filter, $filter_string, 0, -256)
and die "compile: $err\n";
Net::Pcap::setfilter($cap_dev, $filter);
Net::Pcap::loop($cap_dev, $count, \&callback, 'woot');
Net::Pcap::close($cap_dev);
exit 0;
sub callback {
my ($user_data, $hdr, $pkt) = @_;
warn "packet!\n";
my %header = %$hdr;
process_packet(\%header, $pkt);
my $len = length $pkt;
warn "$header{len} $header{caplen} $len\n";
}
sub process_packet {
my ($hdr, $pkt) = @_;
my $len = length $pkt;
warn "$hdr->{len} $hdr->{caplen} $len\n";
}
Now when i send a 5550 byte packet, I get this:
root@a05s24:~/scanner# perl dn3.pl
packet!
1514 1514 1514
1514 1514 1514
I have the snaplen high in the script, and TCPdump pics up the packet fine:
23:27:26.508174 IP 37.X.X.X.57114 > a05s24.sunrpc: UDP, length 5550
At this point im pretty stumped :(
Anyone with Pcap experience please help me on this little error.