comment on

Ah thanks very much for the help Khen. I played a little with pcapdump. Seems similar to tcpdump and I'd been using that. So, the situation I'm in is that I already have a large number of dump files from a large network and I want to do some analysis on them (as opposed to capturing new data with something like pcapdump).

Whilst I have managed to script some stuff to extract individual packet information (headers+payload) from pcap files:

use strict;
use Net::TcpDumpLog;
use NetPacket::IP qw(:strip);
use NetPacket::TCP qw(:strip);

my $log = Net::TcpDumpLog->new();
$log->read($ARGV[0]);

my @Indexes = $log->indexes;
my $index;
my ($length_orig,$length_incl,$drops,$secs,$msecs);
my $data;

print ("IP SRC,IP DST, IP LENGTH, IP TOS, IP TTL, IP Offset, TCP ACK, 
+TCP flags, TCP Winsize, TCP Chksum, TCP URG\n");

foreach $index (@Indexes) {

    ($length_orig,$length_incl,$drops,$secs,$msecs) = $log->header($in
+dex);

    $data = $log->data($index);
    my ($ether_dest,$ether_src,$ether_type,$ether_data) = unpack('H12H
+12H4a*',$data);

    my $ip_obj   = NetPacket::IP->decode($ether_data);
    my $tcp_obj  = NetPacket::TCP->decode( $ip_obj->{data});    

    print ("$i  $ip_obj->{src_ip} ($tmpIPs),$ip_obj->{dest_ip} ($tmpIP
+d),$ip_obj->{len},$ip_obj->{tos},$ip_obj->{ttl},$ip_obj->{foffset},$t
+cp_obj->{acknum},$tcp_obj->{flags}, $tcp_obj->{winsize}, $tcp_obj->{c
+ksum}, $tcp_obj->{urg}\n");
[download]

...I'm struggling a bit to recreate the sessions in a nice way. I figured out with that Net::Analysis tool that the following command:

$perl -MNet::Analysis -e main TCP,v=7 google.dump
[download]

gives the output:

  = (  0 23:28:09.091264 163.1.236.180:47262-209.85.227.99:80) *AP    
+ SEQ:4094724362 ACK:3316076611 1072b
  ====[23:28:09.091264] tcp session start [163.1.236.180:47262 -> 209.
+85.227.99:80]
    ==[23:28:09.091264] [Mono from   163.1.236.180:47262]  0.000000s, 
+  1pkts,   1072b
  = (  1 23:28:09.119041 209.85.227.99:80-163.1.236.180:47262) *A     
+ SEQ:3316076611 ACK:4094725434 1368b
  = (  2 23:28:09.119097 163.1.236.180:47262-209.85.227.99:80) _A

[......]

  ====[--:--:--.------] tcp session end [163.1.236.180:47263-209.85.22
+7.99:80]
[download]

i.e. it's reconstructing sessions as well as monologues within each session and listing each packet. Now what I really want to do is to figure out how to 'code' the above command such that I can tweak it. Instead of outputting each packet to the console, for example, I'd like to insert it into a database. Also I'd like additional header information.

The kludge approach I'm about to take is to dump the whole output to a file and then parse it with another script, and then try and match each packet in the Net::Analysis output to each packet in my above scripts output. Not so ideal...

Thanks and sorry for rambling!
-N

In reply to Re^2: TCP session recreation from pcap files by narcos
in thread TCP session recreation from pcap files by narcos

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.