comment on

This is a simple IDS that I'm building for a class. Right now it captures packets fine and whenever it captures a packet it compares it to the lines in the data.txt file. When an IP matching one in the data.txt file is captured, it writes a message to the logfile.txt. Then Ports are compared to data2.txt file and when they match, it is also written to the same logfile.txt. Which would be fine but my teacher wants to use split in order to compare IPs and Ports from the same data.txt file.

data.txt is just a list of IPs and data2.txt is just a list of port numbers. In the end I need to make use of a single data file.

She told us to make the data file look something like this.

i,s, {ip address you want to match here without the brackets}
i,d, {domain name of the ip}
p,s, {port number}
[download]

"i" stands for IP, and "s" stands for Source, so the source IP would be matched to this line. "i" in the second line is also for IP but the "d" is for the domain name which is just to print in the logfile what domain IP was found.

My classmates tried to explain to me how to use split to tell the program which line of the data file needs to be compared to what part in the packets I capture. I even got help on here before with the split but I still don't quite understand it.

#!/usr/bin/perl -w
# ---------------------------------------------------------
# testapp.pl (v 0.2): captures and dump packets;
# based on Loris Degioanni's TestApp program in C
# (see the Packet Capture Driver Developer's Pack).
# This simple example shows how to capture raw packets
# to the network using Win32::NetPacket.
# This program is free software; you can redistribute it
# and/or modify it under the same terms as Perl itself.
# (c) 2003-2006 J-L Morel jlmorel@cpan.org
# ---------------------------------------------------------
use diagnostics;
use strict;
use warnings;
use Win32::Console::ANSI;
use Win32::NetPacket qw/ :ndis GetAdapterNames  /;
use Term::ReadKey;

use NetPacket::Ethernet qw(:strip);
use NetPacket::IP qw(:strip);
use NetPacket::TCP;
use NetPacket::UDP;
use NetPacket::ICMP;

$|++;

use constant SizeOfInt => 4;    # for word alignment

# select the adapter
my %desc;
my @adpts = GetAdapterNames( \%desc );
@adpts > 0 or die "No adapter installed !\n";
my $i = 1;
if ( @adpts > 1 ) {
  print "Adapters installed:\n\n";
  print $i++, " - $desc{$_}\n    $_\n" foreach @adpts;
  do {
    print "\nSelect the number of the adapter to open : ";
    $i = <STDIN>;
    chomp $i;
  } until ( $i =~ /^(\d)+$/ and 0 < $i and $i <= @adpts );
}

# open the selected adapter
my $nic = Win32::NetPacket->new(
  adapter_name       => $adpts[ $i - 1 ],
  driver_buffer_size => 512 * 1024,         # 512 kbytes kernel buffer
  read_timeout       => 1000,               # 1s timeout
) or die $@;

$nic->SetHwFilter(NDIS_PACKET_TYPE_PROMISCUOUS); # set nic in promiscu
+ous mode

# print infos
my ( $name, $description, $type, $speed, $ip, $mask, $mac ) = $nic->Ge
+tInfo();
$description ||= $desc{$name};
$ip          ||= '?.?.?.?';
$mask        ||= '?.?.?.?';
$mac = join '-', unpack 'A2' x 6, $mac;
print "Listening $name\n($description)\nMAC: $mac IP: $ip Mask: $mask\
+n";
print "** press [enter] to terminate\n";

# set user's buffer
my $Buff;
$nic->SetUserBuffer( $Buff, 128 * 1024 );

# main capture loop
my $BytesReceived;
while ( !ReadKey(-1) ) {    # press (enter) to terminate
  $BytesReceived = $nic->ReceivePacket();    # capture the packets
  printPackets();                            # print the packets
}

printf "\n\n%d packets received,\n%d packets lost.\n", $nic->GetStats;

# ------ printPackets routine

sub printPackets {
  my $nic    = shift;
  my $offset = 0;
  while ( $offset < $BytesReceived ) {
    my ( $tv_sec, $tv_usec, $caplen, $datalen, $hdrlen ) = unpack 'llI
+IS',
      substr $Buff, $offset;
   
    $offset += $hdrlen;
    my $data = substr $Buff, $offset, $datalen;    # extract the datag
+ram
    my $i = 0;
my $eth_obj = NetPacket::Ethernet->decode($data);
     print "\nSource Mac: ", $eth_obj->{src_mac},"\n", "Dest. Mac: ", 
+$eth_obj->{dest_mac};
     my $ip_obj=NetPacket::IP->decode(eth_strip($data));
               print "\nDestination IP: ", $ip_obj->{dest_ip}, "\n";
               print "Source IP: ", $ip_obj->{src_ip}, "\n";
         
if($ip_obj->{proto}==6){
    print "Protocol: TCP\n";}

elsif($ip_obj->{proto}==1){
    print "Protocol: ICMP\n";}
elsif($ip_obj->{proto}==17){
    print "Protocol: UDP\n";}
elsif($ip_obj->{proto}==34){
    print "Protocol: 3PC\n";}

else{
    print "Protocol: $ip_obj->{proto}";}

my @iparray;
open READINGFILE, "data.txt" or die $!;
open LOGFILE, ">>logfile.txt" or die $!;
while(<READINGFILE>)
{
    push (@iparray, $_);
}
close (READINGFILE) or die $!;

foreach (@iparray)
{
    chomp;
    if($ip_obj->{src_ip} eq $_)
    {
        print LOGFILE "Google's IP has been found\n";
    }
}



my @portarray;
open READINGFILE2, "data2.txt" or die $!;

while(<READINGFILE2>)
{
    push (@portarray, $_);
}
close (READINGFILE2) or die $!;

my $tcp_obj=NetPacket::TCP->decode(ip_strip(eth_strip($data)));
foreach (@portarray)
{
    chomp;
    
    if($tcp_obj->{dest_port} eq $_)
    {
        print LOGFILE "Port number has been found\n";
    }
}

close (LOGFILE) or die $!;


###########


     if ($ip_obj->{proto} == 6)
       {print "TCP\n";


       
 print "Destination Port: ", $tcp_obj->{dest_port}, "\n";
          print "Source Port: ", $tcp_obj->{src_port}, "\n";
          print "Flags: ";



    
        

          #---------------------Flags if/statement
          if($tcp_obj->{flags} == 1)
          {print "FIN\n";}

          elsif($tcp_obj->{flags} == 2)
          {print "SYN\n";}

          elsif($tcp_obj->{flags} == 4)
          {print "RST\n";}

          elsif($tcp_obj->{flags} == 8)
          {print "PSH\n";}

          elsif($tcp_obj->{flags} == 16)
          {print "ACK\n";}

          elsif($tcp_obj->{flags} == 32)
          {print "URG\n";}

          elsif($tcp_obj->{flags} == 64)
          {print "ECE\n";}

          elsif($tcp_obj->{flags} == 128)
          {print "CWR\n";}

          elsif($tcp_obj->{flags} == 24)
          {print "ACK/PSH\n";}

          else
          {print " Undefined\n";}
          #--------------------End Flags if/statement


          print "Data: ", $tcp_obj->{data}, "\n";}
        
        



     #-------------------------END TCP PROTOCOL IF STATEMENTS

     #-------------------------UDP If/statement
     elsif ($ip_obj->{proto} == 17)
       { print "UDP\n";
       my $udp_obj=NetPacket::UDP->decode(ip_strip(eth_strip($data)));
+ #Decode UDP

         #---------------------Print To GUI
         print "Destination Port: ", $udp_obj->{dest_port}, "\n";
         print "Source Port: ", $udp_obj->{src_port}, "\n";
         print "Data: ", $udp_obj->{data}, "\n";}
     #--------------------------End UDP
        

    

     elsif ($ip_obj->{proto} == 1)
     {print "ICMP\n";
    my  $icmp_obj=NetPacket::ICMP->decode(ip_strip(eth_strip($data)));
+ #Decode ICMP
      #-----Take out

      #------------------------------Switch Statement
      use Switch;

       switch ($icmp_obj->{code})
       {
               case 0          {print "Echo Reply\n";}

               case 3          {print "Destination Unreachable\n";}

               case 5          {print "Redirect\n";}

               case 8          {print "Echo Request\n";}

               case 11         {print "Time Exceeded\n";}

               else            {print " Undefined\n";}
       }
       }#---------------------END OF ICMP

       else
       {print $ip_obj->{proto}, " Undefined\n";}



###############
#do same for other protocols

#    do {
 #     local $, = ' ';
  #    my $lg = substr $data, $i, 16;
   #   printf "%.8X : ", $i;
    #  $i += 16;
     # print unpack( 'H2' x 16, $lg ), '  ' x ( 16 - length $lg );
      #$lg =~ s/[\x00-\x1F\x95\xFF]/./g;
   #   print " $lg\n";
  #  } until $i >= $datalen;

  

    # Packet word alignment
    $offset
      = ( ( $offset + $caplen ) + ( SizeOfInt - 1 ) ) & ~( SizeOfInt -
+ 1 );
  }
}


######################################################################
+#####
[download]

The newest part starts at:

my @iparray;

Thank you so much in advance! I'm sorry for being so new to perl. Our professor wants us to learn it on our own which is a slow, hard process on my own.

In reply to Help Using Split and Arrays by burningredmoon

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.