hello monks
big question this is. so thanks to anyone who reads it all!
im trying to write a script that opens up a pre recorded PCAP file, and depending on if certain packets meet certain requirements - dump them to seperate pcap files.
in particular I am opening a voip pcap file. And then aim is to dump all SIP, SDP and RTP packets that are from the same call into one file
the problem comes when there are several voip calls in one pcap. this is because when you loop round the main voip pcap, you will effectively have to dump to several other pcaps. this means closing and re-opening dumps.
further to this, while the pcap library does have a 'append to pcap' function, this hasn't been transferred to net::pcap. Apparently with good reason
my work around was to perhaps store all packets into hashes where there was master hash, with seperate hashes inside labelled as 'sip callids'. The kets to the 'sip callids' hashes are just random numbers and the values are the packet and header content.
once the entire voip pcap has been looped through, then dump from the hashes into seperate pcaps
i should have researched further.. as I'm struggling to find a way to get the hashes into pcaps. Below is the code.. does anyone care to input? Anyone had the similar limitation with the perl pcap library?
tldr; i'm assigning packets to a hash. can I then dump the packets assigned to a hash to a pcap file?
my %sip; # create sip hash to store all sip packets in to $run = 1; #search a directory for pcap files and list all matchign to dump list +array. for each of those pcaps (unless it one with current time in na +me), open it for each packet initiate 'process_packet' sub routine while ($run == "1") { system('cls'); my $shortTime = currentTime_short(); my @dumpList = glob("C:/*.pcap"); if (@dumpList) { foreach $dump(@dumpList) { if ($dump =~ m/$shortTime/) { system('cls'); print "DO NOT TOUCH THIS FILE IT IS CURRENTLY BEING USED\n +\n"; sleep(10); } else { $pcap = pcap_open_offline($dump, \$err) or die "Can't read '$dump': $err\n"; pcap_loop($pcap, -1, \&process_packet,''); pcap_close($pcap); # call mix_packets sub routine here here mix_packets(); print "done!\n"; sleep(10); }; }; } else { print "No pcaps found. trying again in 10 seconds.\n"; sleep(2); }; }; #if the packet has rtp in it.. initiate rtp sub.. if sip then sip rout +e etc. sub process_packet { my ($user_data, $header, $packet) = @_; if( $packet !~ m/sip/ && $packet !~ m/sdp/ ) { process_rtp(@_); } elsif ( $packet =~ m/sip/) { if ( $packet =~ m/sdp/) { process_sdp(@_); } else { process_sip(@_); }; }; } sub process_sip { my ($user_data, $header, $packet) = @_; # assign every sip PACKET to the sip hash.. increase is a sub routine +which creates a new number every time its called to act as the key. + $sip{increase()} = $packet; }; sub mix_packets { my $callid; my %main_hash; # having previous assigned all sip packets from the current pcap into +several values in the global %sip hash. we will now go through each, +and create a 'main_hash' with keys acting as hashes of hashes, named +as 'callids' with all packets with the same 'callid' going into that +key. foreach $value (values %sip) { my $asccidata = substr($value,42); my $sip_pkt = Net::SIP::Packet->new_from_string($asccidata); my $callid=$sip_pkt->get_header('call-id'); if (exists $main_hash{$callid}) { print "there is a key in the main hash with this packets c +allid in it\n"; $main_hash{$callid} = { increase() => $value, }; } else { print "there is no key in the main hash with this packets +callid in it\n"; $main_hash{$callid} = { increase() => $value, } }; } };
In reply to dumping hashes to pcap files by bigmoose
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |