Packet parsing with Net::Frame::Layer::ETH

highland7 has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

What library do you use for TCP packets creating and reading (from tcpdump file) ?
I started to use Net::Frame::Layer but can not achieve a lot with that.
Example, reading packet from pcap file:

my $oDump = Net::Frame::Dump::Offline->new(
    file          => $SOURCE_PCAP_FILE,
    filter        => '',
    isRunning     => 0,
    keepTimestamp => 0,
);
$oDump->start;

my $count = 0;
while (my $h = $oDump->next) {
    my $f = Net::Frame::Simple->new(
    raw        => $h->{raw},
    firstLayer => $h->{firstLayer},
    timestamp  => $h->{timestamp},
    );
    #right now can display packet using $f->print, but i   want to par
+se it to read eth address so tried this:
    my $ethlayer = Net::Frame::Layer::ETH->new(raw => $h->{raw});
    print "print mac: ".$ethlayer->print;
    #but even this fail.


}
[download]

How to read that packet ethernet source and destination address ?

Thanks

Comment on Packet parsing with Net::Frame::Layer::ETH Download Code

Replies are listed 'Best First'.
Re: Packet parsing with Net::Frame::Layer::ETH by NetWallah (Canon) on Jan 14, 2013 at 03:31 UTC
Here is a snippet of some 10-year old code I wrote, that uses Net::Pcap and NetPacket::Ethernet : use strict; use English; use Net::Pcap; use NetPacket::Ethernet qw(:types); ... use Data::HexDump; my %pcap_parameters = ( SNAPLEN => 124, # Num bytes to capture from packet PROMISCUOUS_MODE => 1, # Operate in promiscuous mode? TIMEOUT => 1000, # Read timeout (ms) NUMPACKETS => 500, # Pkts to read (-1 = loop forever) #FILTER => 'ip proto \icmp', # Filter string FILTER => 'arp or udp dst port 161', # Filter string USERDATA => '', # Passed as first arg to callback fn SAVEFILE => '', # Default save file # Items below are RETURNED values from PCap calls. # Do not attempt to change them in the declaration. FILTER_HANDLE => 0, # Reference to compiled filter NETWORK_INTERFACE => 'intel',# Network interface to open NETWORK_ADDR =>0, # Network Address (32 bit number) NETWORK_MASK =>0, # Mask (32-bit number) mode => '', # Internal variable ); # Partial list from http://www.iana.org/assignments/ethernet-numbers my %Ethernet_Type_Name = ( (ETH_TYPE_IP) =>{NAME=>'IP', DECODER => \&Decode_IP} +, (ETH_TYPE_ARP) =>{NAME=>'ARP', DECODER => \&Decode_AR +P}, (ETH_TYPE_APPLETALK) =>{NAME=>'APPLETALK', DECODER => 0}, ... $pcap_desc = Net::Pcap::open_live($pcap_parameters{NETWORK_INTERFACE +}, $pcap_parameters{SNAPLEN}, $pcap_parameters{PROMISCUOUS_MODE}, $pcap_parameters{TIMEOUT}, \$err) or die("Net::Pcap::open_live returned error $err\n"); ... my $count = 0; Net::Pcap::loop($pcap_desc, $pcap_parameters{NUMPACKETS}, \&process_pk +t, "abc"); ... sub process_pkt { my($user, $hdr, $pkt) = @_; ..... my ($sec,$min,$hour) =localtime($hdr->{tv_sec}); my $len= $hdr->{len}; my $buf; #print("RcvPkt Totlen(PacketLen) $hdr->{len}($hdr->{caplen})" . # "\t Time.Usec=$hour:$min:$sec.$hdr->{tv_usec}\n"); my $eth_obj = NetPacket::Ethernet->decode($pkt); #print("$eth_obj->{src_mac}:$eth_obj->{dest_mac} " . # "$Ethernet_Type_Name{$eth_obj->{type}} \n"); $buf = sprintf("%02d:%02d:%02d.%03d[%4d] ", $hour,$min,$sec, $hdr->{tv_usec} / 1000,$hdr->{len}); # Call the appropriate decoder, depending on pkt type if (&Dispach_Decoder_If_Any(\%Ethernet_Type_Name, $eth_obj->{type} +, $eth_obj,\$buf)){ # Decoder call failed.. $buf .= "Ether " . $eth_obj->{src_mac} . "-> $eth_obj->{dest_mac} " . &get_TypeName(\%Ethernet_Type_Name,$eth_obj->{type}) ; ... } [download] I'm happy to share the entire code ( < 500 lines) - /msg me with your email address. Most people believe that if it ain't broke, don't fix it. Engineers believe that if it ain't broke, it doesn't have enough features yet.	[reply] [d/l]
Re^2: Packet parsing with Net::Frame::Layer::ETH by highland7 (Novice) on Jan 14, 2013 at 06:52 UTC
Thanks, used NetPacket::Ethernet from your example and with this library everything is fine :)	[reply]
Re: Packet parsing with Net::Frame::Layer::ETH by VinsWorldcom (Prior) on Jan 14, 2013 at 13:14 UTC
It's pretty easy: `print $ethlayer->dst; print $ethlayer->src;` [download] I use the Net::Frame library and it is by far the best (IMHO) packet library. I got Net::Pcap running on Windows (Re: Net::Pcap installation help (and not with the library)) and was able to write a packet crafting shell for Windows: http://www.vinsworld.com/software/ppc.html http://www.vinsworld.com/software/ppc.zip	[reply] [d/l]
Re: Packet parsing with Net::Frame::Layer::ETH by zwon (Abbot) on Jan 14, 2013 at 01:31 UTC
What is the value of `$h->{firstLayer}`? What is the output of `$f->print`? How does `$ethlayer->print` fail?	[reply] [d/l] [select]