How to read pcap data from stream not from files.

darcy95 has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I'm using Net::Pcap module for my project. The code looks like this:

my $pcapPayload = Net::Pcap::open_offline($pcapFile,\$error);

while (my $pkt = Net::Pcap::next($pcapPayload, \%pcapHeader))
{
   my $ether_data = NetPacket::Ethernet::strip($pkt);
   my $ether_obj = NetPacket::Ethernet->decode($pkt);
   my $ip = NetPacket::IP->decode($ether_obj->{'data'});
   ...
}
[download]

This works very fine with a single small pcap file.

However, what I need now is getting pcap data from an input stream.

The reason why I need to do this is, because traffic data is not saved in pcap format, so it should first be converted into pcap files, but the files are very huge.

So, what my program should do is something like this:

> sth2pcap-convert.pl large-non-pcap-files | my-program.pl -o output.log

Does anyone know how to read data from input stream in perl?

Thanks

Comment on How to read pcap data from stream not from files. Select or Download Code

Replies are listed 'Best First'.
Re: How to read pcap data from stream not from files. by almut (Canon) on May 06, 2010 at 14:56 UTC
Generally, you can use read or sysread to read an arbitrary number of bytes from a stream. Alternatively, you can set `$/` to a ref-to-number, e.g. `$/ = \128;` [download] to have `<>` read blocks of 128 bytes (or less, in case 128 aren't available). I'm not intimate enough with the pcap format, though, to tell what block size would be adequate, and if the format is streamable at all (not every format is...).	[reply] [d/l] [select]
Re: How to read pcap data from stream not from files. by gman (Friar) on May 06, 2010 at 17:36 UTC
not sure if using Net::Pcap::loop($pcap, -1, \&process_pkt, ''); is handled differently internally, but for what it's worth here is something I have used. #!/usr/bin/perl -w use strict; use warnings; use Net::PcapUtils; use Net::Pcap; use NetPacket::Ethernet qw(:strip); use NetPacket::IP; #use Config::Reader::Simple; my $file = "CaptureData.txt"; open FILE, ">$file" or die "unable to open $file $!"; my %config; open my $config, '<', 'Config.txt' or die $!; sub process_pkt { my ($user, $hdr, $pkt) = @_; my $ip_obj = NetPacket::IP->decode(eth_strip($pkt)); my $eth_obj = NetPacket::Ethernet->decode($pkt); if($ip_obj->{src_ip} eq $config{'SourceIP'}) { print "SourceIP : $ip_obj->{src_ip}\n"; print "SourceMAC : $eth_obj->{src_mac}\n"; print "EthernetType : $eth_obj->{type}\n"; print "IPProtocol : $ip_obj->{proto}\n"; print "----------------------------\n"; } } while(<$config>) { chomp; my ($key, $value) = split /\s=\s/, $_; $config{$key} = $value; print FILE "chave: $key -- valor: $value\n"; } my $err =''; my $i = 1; my $pcap = Net::Pcap::open_offline("capture.pcap", \$err) or die "Can +not open f ile...$err\n"; Net::Pcap::loop($pcap, -1, \&process_pkt, ''); Net::Pcap::close($pcap); close FILE, ">$file" or die "unable to close $file $!"; [download]	[reply] [d/l]
Re: How to read pcap data from stream not from files. by AR (Friar) on May 06, 2010 at 14:06 UTC
`while ( defined( my $line = <STDIN> ) ) { process($line); }` [download] Also, please wrap your code in <c>...</c> for better legibility.	[reply] [d/l]
Re^2: How to read pcap data from stream not from files. by almut (Canon) on May 06, 2010 at 14:45 UTC
`while ( defined( my $line = <STDIN> ) ) {` [download] Just a quick side note: you don't need the `defined` here. Perl has some DWIMmery in place for this case, to always act as if the `defined` was there, even if you don't write it: `$ perl -MO=Deparse -e 'while ( my $line = <STDIN> ) { print $line }' while (defined(my $line = <STDIN>)) { do { print $line }; } -e syntax OK` [download]	[reply] [d/l] [select]
Re^3: How to read pcap data from stream not from files. by afoken (Chancellor) on May 09, 2010 at 05:34 UTC
Cool. I always thought that the DWIM magic was only there for the exact expression `while (<FILEHANDLE>)`, but not for any other construction like the assignment. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l]
Re^2: How to read pcap data from stream not from files. by Anonymous Monk on May 06, 2010 at 14:19 UTC
pcap file is not a text file. So, it doesn't save a packet-wise information in $line. I hope somebody who has better idea can help me. thanks	[reply]
Re^3: How to read pcap data from stream not from files. by AR (Friar) on May 06, 2010 at 14:29 UTC
You're right, I made a bad assumption. Is there a line delimiter in the pacp format? If so, you can add `local $/ = $delimiter;`. Note that this also changes the behavior of chomp in a predictable way.	[reply] [d/l]
Re^4: How to read pcap data from stream not from files. by darcy95 (Initiate) on May 06, 2010 at 14:38 UTC