RE: simple perl sniffer

I recommend checking out Net::Pcap, Net::PcapUtils, and the NetPacket CPAN modules. Net::Pcap is an perl interface straight into libpcap (libpcap is a packet sniffing library on which most UNIX sniffers are based; tcpdump is written using libpcap). Net::PcapUtils is a more perl-like interface to Net::Pcap that is a bit easier to use than raw Net::Pcap. The NetPacket module provide parsing for a few (but the most common) layer 2, 3, and 4 protocols (ICMP, IP, TCP, UDP, ARP, Ethernet, etc...). With these tools you can put together custom sniffer utilities very quickly.

Here's a simple example of a script that sniffs an ethernet line for all TCP/IP packets bound to/from a particular host and dumps out the source/destination IP address/port and a hex dump of the packet's contents:

#!/usr/bin/perl -w

use strict;
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use Data::HexDump;

Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip host 192.168.1.252')
+;
my $i=0;

sub process_pkt {
  my ($user_data,$hdr,$pkt)=@_;
  my $eth=NetPacket::Ethernet->decode($pkt);
  if($eth->{type} == 2048){
    my $ip=NetPacket::IP->decode($eth->{data});
    if($ip->{proto} == 6){
      my $tcp=NetPacket::TCP->decode($ip->{data});
      print "\n\n$i $ip->{src_ip}($tcp->{src_port}) -> $ip->{dest_ip}(
+$tcp->{dest_port})\n";
      print HexDump $ip->{data};
      $i++;
    }
  }
}
[download]

Comment on RE: simple perl sniffer Download Code

Replies are listed 'Best First'.
RE: RE: simple perl sniffer by Anonymous Monk on May 09, 2000 at 21:43 UTC
Thanks a bunch for the pointers and sample code. I just happened to have the same question (sniffing in perl), and your post has jump started my efforts.	[reply]
RE: RE: simple perl sniffer by marcos (Scribe) on May 09, 2000 at 19:45 UTC
Thank you for your suggestion. Unfortunately I think I can't use the modules you mentioned under NT: there's no libpcap under NT. Once again I think that I have to install also Linux on my laptop. As soon as I have Linux up and running I will surely try these modules and build my own simple sniffer in perl :) thank you marcos	[reply]
Re: RE: RE: simple perl sniffer by rob_au (Abbot) on Sep 04, 2002 at 11:25 UTC
Just a quick post for prosperity - The Pcap library can be obtained in source and binary forms from http://winpcap.polito.it/ and are quite mature in nature.	[reply]
RE: RE: RE: simple perl sniffer by lhoward (Vicar) on May 10, 2000 at 07:29 UTC
I have worked with some Packet Capturing libraries for NT, but none of which have a Perl interface. If you want to write a sniffer like tool for NT I'm afraid you're stuck using C, C++ or something similar.	[reply]
Re^2: simple perl sniffer by Anonymous Monk on Jan 24, 2006 at 14:48 UTC
HaLLO! i test the script it work fine with me .. someone to now how i can .. decode the nex of the pack. `15 10.8.4.19(33373) -> 10.10.0.28(6667) 00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF 00000000 82 5D 1A 0B C9 12 24 11 - 46 3E F8 5D 80 10 65 D0 .]....$.F +>.]..e. 00000010 AC 3D 00 00 01 01 08 0A - 00 5E 08 95 DD 5D 9D F5 .=....... +^...]..` [download] that is one of the pkg. and it is not encripted ... but i dont now how to decode it ... Thenks Code tags added by GrandFather	[reply] [d/l]
Re^3: simple perl sniffer by lhoward (Vicar) on Jan 26, 2006 at 13:05 UTC
Check out Net::Packet. It has parsers for certain protocols above layer 3. If not, you may have to write your own parser, or figure out a way to pass the captured data off to a program like Etheral that has more advanced parsing capability for the upper levels of the protocol stack. L	[reply]
Re^2: simple perl sniffer by Anonymous Monk on May 29, 2012 at 00:36 UTC
Hi I am designing a sniffer in perl will be possible to put an interface in another language?	[reply]