network sniffing under perl

[peterve]

Hi,

I'm trying to implement sniffinf capabilities to one of my applications, but I'm stuck...

I tried to use both the Raw::IP module and the Net:cap module, I've been able to see traffic, but none of the modules has offered me what I really want to see...
I want to be able to get all of the traffic...
source ip, source port, target ip , target port, timestamp, sequence number, all of the data, the flags, options, ... basically ALL of the packets... and not just the few options that both Raw::IP and Net:cap seem to offer...

has anyone used perl to implement sniffing capabilities ?
What are you using ? Did I miss something within Raw::IP and/or Net:cap ?
Or are you using another module ?

Please speak up... it would be greatly appreciated !!

thanks

P --------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
If this post was helpfull, please click below to let me know !

 

[justice41]

The NetPacket::TCP module might get you a little further. There are some simple yet informative examples in the module's docs.

http://search.cpan.org/author/TIMPOTTER/NetPacket-0.03/NetPacket/TCP.pm

jaa

 

[peterve]

Thanks...

I wrote this piece of code, but the output is not exactly what I wanted :

I'm using the following modules :

use Net:capUtils;
use NetPacket::Ethernet qwstrip);
use NetPacket::IP qwstrip);
use NetPacket::TCP qwstrip);
use NetPacket::UDP qwstrip);

# launch sniffer
Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip');


sub process_pkt
{
  my($user, $hdr, $pkt) = @_;
  my($proto,$tcp_obj);
  #get the packet
  my $raw_obj = NetPacket::Ethernet->decode($pkt);

  # Is this an IP packet ?
  print $raw_obj->{type};
  if($raw_obj->{type} eq 2048)
  {
      print $ip_obj->{src_ip}.".".$ip_obj->{src_port}." > ".$ip_obj->{dest_ip}.".".$ip_obj->{dest_port};
      my $ip_obj = NetPacket::IP->decode(eth_strip($pkt));
      # I only want to see Netbios traffic
    if ($ip_obj->{src_port} eq 445 or $ip_obj->{src_port} eq 137 or $ip_obj->{src_port} eq 138 or $ip_obj->{src_port} eq 139 or $ip_obj{dest_port} eq 137 or $ip_obj->{dest_port} eq 138 or $ip_obj->{dest_port} eq 139 or $ip_obj->{dest_port} eq 445)
    {  
    if ($ip_obj->{proto} eq 6)
       {
       #process TCP packet
       $tcp_obj = NetPacket::TCP->decode($pkt);
       print "---------------------------------------------------------------------------------------\n";
       print $ip_obj->{src_ip}.".".$tcp_obj->{src_port}." > ".$ip_obj->{dest_ip}.".".$tcp_obj->{dest_port};
       print ": ".$tcp_obj->{seqnum}." ".$tcp_obj->{acknum}." win ".$tcp_obj->{winsize}."\n";
       print $tcp_obj->{data}."\n";
   }
   if($ip_obj->{proto} eq 17)
   {
       #process UDP 
       my $udp_obj = NetPacket::UDP->decode($pkt);
       print "---------------------------------------------------------------------------------------\n";
       print $ip_obj->{src_ip}.".".$udp_obj->{src_port}." > ".$ip_obj->{dest_ip}.".".$udp_obj->{dest_port};
       print $udp_obj->{data}."\n";
   }
 }
 }
}

App works, but the data output looks like sh*t...
Also, where can I specify how much bytes of the payload I want to sniff
(basically I want to sniff & display ALL of the payload)

thanks

P
--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
If this post was helpfull, please click below to let me know !