#!/usr/bin/perl -w # --------------------------------------------------------- # testapp.pl (v 0.2): captures and dump packets; # based on Loris Degioanni's TestApp program in C # (see the Packet Capture Driver Developer's Pack). # This simple example shows how to capture raw packets # to the network using Win32::NetPacket. # This program is free software; you can redistribute it # and/or modify it under the same terms as Perl itself. # (c) 2003-2006 J-L Morel jlmorel@cpan.org # --------------------------------------------------------- use warnings; use strict; use Win32::Console::ANSI; use Win32::NetPacket qw/ :ndis GetAdapterNames /; use Term::ReadKey; use NetPacket::Ethernet qw(:strip); use NetPacket::IP qw(:strip); use NetPacket::TCP; use NetPacket::UDP; use NetPacket::ICMP; $|++; use constant SizeOfInt => 4; # for word alignment # select the adapter my %desc; my @adpts = GetAdapterNames( \%desc ); @adpts > 0 or die "No adapter installed !\n"; my $i = 1; if ( @adpts > 1 ) { print "Adapters installed:\n\n"; print $i++, " - $desc{$_}\n $_\n" foreach @adpts; do { print "\nSelect the number of the adapter to open : "; $i = ; chomp $i; } until ( $i =~ /^(\d)+$/ and 0 < $i and $i <= @adpts ); } # open the selected adapter my $nic = Win32::NetPacket->new( adapter_name => $adpts[ $i - 1 ], driver_buffer_size => 512 * 1024, # 512 kbytes kernel buffer read_timeout => 1000, # 1s timeout ) or die $@; $nic->SetHwFilter(NDIS_PACKET_TYPE_PROMISCUOUS); # set nic in promiscuous mode # print infos my ( $name, $description, $type, $speed, $ip, $mask, $mac ) = $nic->GetInfo(); $description ||= $desc{$name}; $ip ||= '?.?.?.?'; $mask ||= '?.?.?.?'; $mac = join '-', unpack 'A2' x 6, $mac; print "Listening $name\n($description)\nMAC: $mac IP: $ip Mask: $mask\n"; print "** press [enter] to terminate\n"; # set user's buffer my $Buff; $nic->SetUserBuffer( $Buff, 128 * 1024 ); # main capture loop my $BytesReceived; while ( !ReadKey(-1) ) { # press (enter) to terminate $BytesReceived = $nic->ReceivePacket(); # capture the packets printPackets(); # print the packets } printf "\n\n%d packets received,\n%d packets lost.\n", $nic->GetStats; # ------ printPackets routine sub printPackets { my $nic = shift; my $offset = 0; while ( $offset < $BytesReceived ) { my ( $tv_sec, $tv_usec, $caplen, $datalen, $hdrlen ) = unpack 'llIIS', substr $Buff, $offset; $offset += $hdrlen; my $data = substr $Buff, $offset, $datalen; # extract the datagram my $i = 0; my $eth_obj = NetPacket::Ethernet->decode($data); print "\nSource Mac: ", $eth_obj->{src_mac},"\n", "Dest. Mac: ", $eth_obj->{dest_mac}; my $ip_obj=NetPacket::IP->decode(eth_strip($data)); print "\nDestination IP: ", $ip_obj->{dest_ip}, "\n"; print "Source IP: ", $ip_obj->{src_ip}, "\n"; if($ip_obj->{proto}==6){ print "Protocol: TCP\n";} elsif($ip_obj->{proto}==1){ print "Protocol: ICMP\n";} elsif($ip_obj->{proto}==17){ print "Protocol: UDP\n";} elsif($ip_obj->{proto}==34){ print "Protocol: 3PC\n";} else{ print "Protocol: $ip_obj->{proto}";} ########### if ($ip_obj->{proto} == 6) {print "TCP\n"; my $tcp_obj=NetPacket::TCP->decode(ip_strip(eth_strip($data))); print "Destination Port: ", $tcp_obj->{dest_port}, "\n"; print "Source Port: ", $tcp_obj->{src_port}, "\n"; print "Flags: "; #---------------------Flags if/statement if($tcp_obj->{flags} == 1) {print "FIN\n";} elsif($tcp_obj->{flags} == 2) {print "SYN\n";} elsif($tcp_obj->{flags} == 4) {print "RST\n";} elsif($tcp_obj->{flags} == 8) {print "PSH\n";} elsif($tcp_obj->{flags} == 16) {print "ACK\n";} elsif($tcp_obj->{flags} == 32) {print "URG\n";} elsif($tcp_obj->{flags} == 64) {print "ECE\n";} elsif($tcp_obj->{flags} == 128) {print "CWR\n";} elsif($tcp_obj->{flags} == 24) {print "ACK/PSH\n";} else {print " Undefined\n";} #--------------------End Flags if/statement print "Data: ", $tcp_obj->{data}, "\n";} #-------------------------END TCP PROTOCOL IF STATEMENTS #-------------------------UDP If/statement elsif ($ip_obj->{proto} == 17) { print "UDP\n"; my $udp_obj=NetPacket::UDP->decode(ip_strip(eth_strip($data))); #Decode UDP #---------------------Print To GUI print "Destination Port: ", $udp_obj->{dest_port}, "\n"; print "Source Port: ", $udp_obj->{src_port}, "\n"; print "Data: ", $udp_obj->{data}, "\n";} #--------------------------End UDP elsif ($ip_obj->{proto} == 1) {print "ICMP\n"; my $icmp_obj=NetPacket::ICMP->decode(ip_strip(eth_strip($data))); #Decode ICMP #-----Take out #------------------------------Switch Statement use Switch; switch ($icmp_obj->{code}) { case 0 {print "Echo Reply\n";} case 3 {print "Destination Unreachable\n";} case 5 {print "Redirect\n";} case 8 {print "Echo Request\n";} case 11 {print "Time Exceeded\n";} else {print " Undefined\n";} } }#---------------------END OF ICMP else {print $ip_obj->{proto}, " Undefined\n";} #### open rules file here. ##code just added starts here but the content of the if statement was there before and it printed fine. ##i believe my problem is with the eq or opening the file...? open (FH, '<, "rules.txt"); my @data = ; close FH; foreach my $value (@data) { chomp ($value); my ($SrcOrDest, $name, $value = split(/,/ ,$value); #insert compare code here open LOGFILE, ">>logfile.txt" or die $!; #print timestamp? #print LOGFILE "Timestamp: "; #print LOGFILE ×tamp(); #if equal then if ($ip_obj->{src_ip} eq $value) { ####print with details print LOGFILE "\nSource Mac: ", $eth_obj->{src_mac},"\n", "Dest. Mac: ", $eth_obj->{dest_mac}; print LOGFILE "\nDestination IP: ", $ip_obj->{dest_ip}, "\n"; print LOGFILE "Source IP: ", $ip_obj->{src_ip}, "\n"; if($ip_obj->{proto}==6){ print LOGFILE "Protocol: TCP\n";} elsif($ip_obj->{proto}==1){ print LOGFILE "Protocol: ICMP\n";} elsif($ip_obj->{proto}==17){ print LOGFILE "Protocol: UDP\n";} elsif($ip_obj->{proto}==34){ print LOGFILE "Protocol: 3PC\n";} else{ print LOGFILE "Protocol: $ip_obj->{proto}";} ########### if ($ip_obj->{proto} == 6) {print LOGFILE "TCP\n"; my $tcp_obj=NetPacket::TCP->decode(ip_strip(eth_strip($data))); print LOGFILE "Destination Port: ", $tcp_obj->{dest_port}, "\n"; print LOGFILE "Source Port: ", $tcp_obj->{src_port}, "\n"; print LOGFILE "Flags: "; #---------------------Flags if/statement if($tcp_obj->{flags} == 1) {print LOGFILE "FIN\n";} elsif($tcp_obj->{flags} == 2) {print LOGFILE "SYN\n";} elsif($tcp_obj->{flags} == 4) {print LOGFILE "RST\n";} elsif($tcp_obj->{flags} == 8) {print LOGFILE "PSH\n";} elsif($tcp_obj->{flags} == 16) {print LOGFILE "ACK\n";} elsif($tcp_obj->{flags} == 32) {print LOGFILE "URG\n";} elsif($tcp_obj->{flags} == 64) {print LOGFILE "ECE\n";} elsif($tcp_obj->{flags} == 128) {print LOGFILE "CWR\n";} elsif($tcp_obj->{flags} == 24) {print LOGFILE "ACK/PSH\n";} else {print LOGFILE " Undefined\n";} #--------------------End Flags if/statement print LOGFILE "Data: ", $tcp_obj->{data}, "\n";} #-------------------------END TCP PROTOCOL IF STATEMENTS #-------------------------UDP If/statement elsif ($ip_obj->{proto} == 17) { print LOGFILE "UDP\n"; my $udp_obj=NetPacket::UDP->decode(ip_strip(eth_strip($data))); #Decode UDP #---------------------Print To GUI print LOGFILE "Destination Port: ", $udp_obj->{dest_port}, "\n"; print LOGFILE "Source Port: ", $udp_obj->{src_port}, "\n"; print LOGFILE "Data: ", $udp_obj->{data}, "\n";} #--------------------------End UDP elsif ($ip_obj->{proto} == 1) {print LOGFILE "ICMP\n"; my $icmp_obj=NetPacket::ICMP->decode(ip_strip(eth_strip($data))); #Decode ICMP #-----Take out #------------------------------Switch Statement use Switch; switch ($icmp_obj->{code}) { case 0 {print LOGFILE "Echo Reply\n";} case 3 {print LOGFILE "Destination Unreachable\n";} case 5 {print LOGFILE "Redirect\n";} case 8 {print LOGFILE "Echo Request\n";} case 11 {print LOGFILE "Time Exceeded\n";} else {print LOGFILE " Undefined\n";} } }#---------------------END OF ICMP else {print LOGFILE $ip_obj->{proto}, " Undefined\n";} } #else{ #print no matches found print LOGFILE "No matches found.";} ##### }#end foreach ############### #do same for other protocols # Packet word alignment $offset = ( ( $offset + $caplen ) + ( SizeOfInt - 1 ) ) & ~( SizeOfInt - 1 ); } } ###########################################################################