Hi

I have some code to analyze a pcap (see below). Besides src-ip dest-ip src-mac dst-mac what I need to ID it type of packet HTTP arp icmp etc

print $ip_obj->{proto}, ",", $eth_obj->{type} gives me something like

6,2048 how would I translate that into a meaninfull application layer name like HTTP HTTPS FTP etc...

#!/usr/bin/perl -w
use Exporter;
use Net::TcpDumpLog;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use strict;
use warnings;

#@ISA = qw(Exporter);

print "0\n";

my $log = Net::TcpDumpLog->new();
$log->read("/mnt/pcaps/pcap_2011-05-27-03:00:01.pcap");
print "1\n";
foreach my $index ($log->indexes) {
print "2\n";
  my ($length_orig, $length_incl, $drops, $secs, $msecs) = $log->heade
+r($index);
  my $data = $log->data($index);

  my $eth_obj = NetPacket::Ethernet->decode($data);
  next unless $eth_obj->{type} == NetPacket::Ethernet::ETH_TYPE_IP;

  my $ip_obj = NetPacket::IP->decode($eth_obj->{data});
  next unless $ip_obj->{proto} == NetPacket::IP::IP_PROTO_TCP;

  my $tcp_obj = NetPacket::TCP->decode($ip_obj->{data});
  my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime
+($secs + $msecs/1000);
  print sprintf("%02d-%02d %02d:%02d:%02d.%d", $mon, $mday, $hour, $mi
+n, $sec, $msecs), " ", $eth_obj->{src_mac}, " -> ", $eth_obj->{dest_m
+ac}, "\n";
  print $ip_obj->{proto}, ",", $eth_obj->{type}, ",", $ip_obj->{src_ip
+}, ":", $tcp_obj->{src_port}, " -> ", $ip_obj->{dest_ip}, ":", $tcp_o
+bj->{dest_port}, "\n";
}
[download]