k_grdn has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks,
I've recently started programming perl, I have an interest in pkt encoding and have stumbled upon errors with the following script.

use strict; use Net::TcpDumpLog; use NetPacket::IP qw(:strip); use NetPacket::TCP qw(:strip); my $log = Net::TcpDumpLog->new(); $log->read("tcp01.dump"); my @Indexes = $log->indexes; my $index; my ($length_orig,$length_incl,$drops,$secs,$msecs); my $data; foreach $index (@Indexes) { ($length_orig,$length_incl,$drops,$secs,$msecs) = $log->header($in +dex); $data = $log->data($index); my ($ether_dest,$ether_src,$ether_type,$ether_data) = unpack('H12H +12H4a*',$data); my $ip_obj = NetPacket::IP->decode($ether_data); my $tcp_obj = NetPacket::TCP->decode( $ip_obj->{data} ); print("$ip_obj->{src_ip}:$ip_obj->{dest_ip}\n"); }

output:

250.84.80.45:76.34.213.120 250.19.80.45:76.34.213.120 249.4.213.120:252.2.80.45 249.3.213.120:252.2.80.45 249.2.213.120:252.2.80.45 223.68.213.120:252.2.80.45

tcpdump snippet:

IP 80.45.76.34.22 > 213.120.252.2.49191: IP 80.45.76.34.22 > 213.120.252.2.49191: IP 213.120.252.2.49191 > 80.45.76.34.22: IP 213.120.252.2.49191 > 80.45.76.34.22: IP 213.120.252.2.49191 > 80.45.76.34.22:

As you can see the addresses are messed up.

kernel 2.6.22-14-386
tcpdump 3.9.7-1
distro ubuntu 7.10

Is this compatibility issues? or can errors be overcome with correct code syntax?

Regards,

k_grdn

Replies are listed 'Best First'.
Re: NetPacket IP Problems
by k_grdn (Novice) on May 08, 2008 at 20:54 UTC
    Hi Monks,

    Made some progress,

    The following tcpdump dump file produces output as expected:

    IP 192.168.0.10.ssh > 192.168.0.50.50609: IP 192.168.0.50.50609 > 192.168.0.10.ssh: IP 192.168.0.50.50609 > 192.168.0.10.ssh: IP 192.168.0.50.50609 > 192.168.0.10.ssh:
    Output
    192.168.0.10:192.168.0.50 192.168.0.10:192.168.0.50 192.168.0.50:192.168.0.10 192.168.0.50:192.168.0.10 192.168.0.50:192.168.0.10

    Also I can capture traffic as expected on local interfaces but not on external ppp0 interface, with the following:
    use strict; use Net::PcapUtils; use NetPacket::Ethernet qw(:strip); use NetPacket::IP; sub process_pkt { my ($user, $hdr, $pkt) = @_; my $ip_obj = NetPacket::IP->decode(eth_strip($pkt)); print("$ip_obj->{src_ip}:$ip_obj->{dest_ip} $ip_obj->{proto}\n"); } Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip', DEV => 'ppp0');

    Both scipts have problems processing ppp0 interface traffic, and produce garrbled output.

    Regards,

    k_grdn

      Have you tried using Net::Packet::PPP to decode the PPP packet, to get at the encapsulated data ?

      You can then analyze the payload of the PPP packet to get the IP packet.

           "How many times do I have to tell you again and again .. not to be repetitive?"

        Thanks NetWallah,

        I will give that a try at first opportunity.

        Regards,

        k_grdn