Hi everyone

I´m new with Perl and modules from CPAN. Currently I´m working in a project that extract the SNMP traps from a pcap file. I checked different modules from CPAN and I think I´m very close but I need your help and advice with a couple of doubts. This is the code I´m using (I added several modules but I´m not using all, is just for test purpose): 

    #!/usr/bin/perl 

use Net::TcpDumpLog;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use strict;
use warnings;

use Net::Frame::Dump::Offline;
use Net::Frame::Simple;
use Net::Frame::Layer;
use Net::Frame::Layer::UDP;

use Mon::SNMP;


   #
   # Simple offline anaysis
   #

    my $fParse = "/home/my_file.cap";
  my $oDump = Net::Frame::Dump::Offline->new(
    file      => $fParse,
      filter    => 'SNMP',
  );

   $oDump->start;

   my $count = 1;
   while (my $h = $oDump->next) {
      my $f = Net::Frame::Simple->new(
         raw        => $h->{raw},
         firstLayer => $h->{firstLayer},
         timestamp  => $h->{timestamp},
      );

      my $len = length($h->{raw});
      print 'o Frame number: '.$count++." (length: $len)\n";
      print $f->print."\n";

  }

   $oDump->stop;

[download]

Basically the idea is use the Net::Frame::Dump::Offline to read the .cap file and the Net::Frame::Simple help extracting the information from layers (at least for ETH, IPv4 and UDP) My problem is because the SNMP trap is in the payload for the last UDP layer. My question is how can I decode the payload information? I found other module called Mon::SNMP for decode snmp traps, but I´m not sure if this module can read the payload and decode it. If yes, how can I send the "payload" as an input in the Mon::SNMP? 

$trap = new Mon::SNMP;

    $trap->buffer($snmptrap);

  %traphash = $trap->decode;

print %traphash;
    foreach $oid (keys $traphash{"varbindlist"}) {
    $val = $traphash{"varbindlist"}{$oid};
        print "oid($oid) = val($val)\n";
    }

[download]

This is an example of the output that I have: 

    o Frame number: 41 (length: 401)
ETH: dst:d8:d3:85:de:85:68  src:78:e7:d1:56:f7:a0  type:0x0800
IPv4: version:4  hlen:5  tos:0x00  length:387  id:0
IPv4: flags:0x02  offset:0  ttl:64  protocol:0x11  checksum:0xd8ee
IPv4: src:172.19.4.58  dst:172.19.4.27
UDP: src:41665  dst:162  length:367  checksum:0x9443
UDP: payload:3082016302010104066573796d6163a782015402041560ae270201000
+2010030820144301006082b0601020101030043040cd6aeed3019060a2b0601060301
+01040100060b2b060104015e07010300023028060c2b060104015e070104020102041
+84950444f4d2d312f49504e452d392f49504e4549462d31363012060c2b060104015e
+0701040201010202062f3018060c2b060104015e070104020103040807da090d0f2a2
+0013013060c2b060104015e070104020104020301e271302c060c2b060104015e0701
+04020105041c504f5254204f5220494e5445524641434520484153204641494c45443
+011060c2b060104015e070104020106020105302c060c2b060104015e070104020107
+041c506f7274206f7220696e7465726661636520686173206661696c65643012060c2
+b060104015e0701040201080202013b3011060c2b060104015e070104020109020104
+3012060c2b060104015e07010402010a02020b51

[download]

At the end my question is, how can I manipulate the payload that I´m getting from the first part of code and use it as the input for the SNMP module, do you think if is possible o which other advices can you give me, please, in order to get the SNMP information.

In reply to How to parse SNMP traps from pcap file by dalbaranster

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.