Analyse a tcpdump dump file

pileofrogs has asked for the wisdom of the Perl Monks concerning the following question:

Greetings, monks of the world

Can anyone recommend a perl module to help me analyze a file created by running tcpdump -w dumpfile? I see several modules in the tcpdump/pcap department, but I don't see any obvious choices that can read the packet dump created by tcpdump -w.

For background, I have an intermittent network problem and I've managed to capture a tcpdump file for part of that time. I want to do things like count the number of TCP, UDP, ICMP etc... packets to see if anything really broad like that changes during the badness. I could run "tcpdump -r dumpfile" and parse the resulting text, but if there is a good module to parse the tcpdump packet file, that would be even better.

Thanks!
--Pileofrogs

Thanks folks! Great answers!

Comment on Analyse a tcpdump dump file Select or Download Code

Replies are listed 'Best First'.
Re: Analyse a tcpdump dump file by NetWallah (Canon) on Feb 18, 2010 at 04:54 UTC
tcpdump produces native libpcap format files that are readable by Wireshark. (The free) Wireshark has powerful filtering and visualization tools to help analyze the packets. If you really want to read these in perl, try the "offline Analysis" sample in the Net::Packet::Dump module. You will also likely need the Netpacket:: series of modules for TCP/UDP or IP analysis. Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why it works. Programmers combine Theory and Practice: Nothing works and they don't know why. -Anonymous	[reply]
Re: Analyse a tcpdump dump file by zentara (Cardinal) on Feb 18, 2010 at 13:50 UTC
Try Reconstructing a file from a packet dump and here are a few snippets I collected here, written by others, which may prove useful. Untested. :-) UPDATE: I just tested them, and these don't work, so I delete them, and replace them with this: `# supppose you have raw dumps , created with something like: tcpdump -i eth0 -w tcpdump.out # to capture raw # then do this: tcpdump -r ./tcpdump.out > tcpdump.outr the ouptut will look then like: .... .... 12:17:28.864666 IP oreilly.com.http > zenlap.zentara.net.22322: . ack +651 win 111 <nop,nop,timestamp 1111732560 25 12:17:29.062812 IP oreilly.com.http > zenlap.zentara.net.22322: . 1:14 +41(1440) ack 651 win 111 <nop,nop,timestamp ..... .....` [download] Is that what you want? I'm not really a human, but I play one on earth. Old Perl Programmer Haiku	[reply] [d/l]