k_grdn has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks,
I've recently started programming perl, I have an interest in pkt encoding and have stumbled upon errors with the following script.

use strict;
use Net::TcpDumpLog;
use NetPacket::IP qw(:strip);
use NetPacket::TCP qw(:strip);


my $log = Net::TcpDumpLog->new();
$log->read("tcp01.dump");

my @Indexes = $log->indexes;
my $index;
my ($length_orig,$length_incl,$drops,$secs,$msecs);
my $data;

foreach $index (@Indexes) {
    ($length_orig,$length_incl,$drops,$secs,$msecs) = $log->header($in
+dex);
    $data = $log->data($index);
    my ($ether_dest,$ether_src,$ether_type,$ether_data) = unpack('H12H
+12H4a*',$data);
    my $ip_obj   = NetPacket::IP->decode($ether_data);
    my $tcp_obj  = NetPacket::TCP->decode( $ip_obj->{data} );

    print("$ip_obj->{src_ip}:$ip_obj->{dest_ip}\n");

}

[download]

output:

250.84.80.45:76.34.213.120
250.19.80.45:76.34.213.120
249.4.213.120:252.2.80.45
249.3.213.120:252.2.80.45
249.2.213.120:252.2.80.45
223.68.213.120:252.2.80.45

[download]

tcpdump snippet:

IP 80.45.76.34.22 > 213.120.252.2.49191:
IP 80.45.76.34.22 > 213.120.252.2.49191:
IP 213.120.252.2.49191 > 80.45.76.34.22:
IP 213.120.252.2.49191 > 80.45.76.34.22:
IP 213.120.252.2.49191 > 80.45.76.34.22:

[download]

As you can see the addresses are messed up.

kernel 2.6.22-14-386
tcpdump 3.9.7-1
distro ubuntu 7.10

Is this compatibility issues? or can errors be overcome with correct code syntax?

Regards,

k_grdn

Replies are listed 'Best First'.
Re: NetPacket IP Problems
by k_grdn (Novice) on May 08, 2008 at 20:54 UTC
    Hi Monks,

    Made some progress,

    The following tcpdump dump file produces output as expected:

    IP 192.168.0.10.ssh > 192.168.0.50.50609:
IP 192.168.0.50.50609 > 192.168.0.10.ssh:
IP 192.168.0.50.50609 > 192.168.0.10.ssh:
IP 192.168.0.50.50609 > 192.168.0.10.ssh:

    [download]
    Output
    192.168.0.10:192.168.0.50
192.168.0.10:192.168.0.50
192.168.0.50:192.168.0.10
192.168.0.50:192.168.0.10
192.168.0.50:192.168.0.10

    [download]

    Also I can capture traffic as expected on local interfaces but not on external ppp0 interface, with the following:
    use strict;
use Net::PcapUtils;
use NetPacket::Ethernet qw(:strip);
use NetPacket::IP;

sub process_pkt {
    my ($user, $hdr, $pkt) = @_;

    my $ip_obj = NetPacket::IP->decode(eth_strip($pkt));
    print("$ip_obj->{src_ip}:$ip_obj->{dest_ip} $ip_obj->{proto}\n");
}

Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip', DEV => 'ppp0');

    [download]

    Both scipts have problems processing ppp0 interface traffic, and produce garrbled output.

    Regards,

    k_grdn

[reply]
[d/l]
[select]
      Have you tried using Net::Packet::PPP to decode the PPP packet, to get at the encapsulated data ?

      You can then analyze the payload of the PPP packet to get the IP packet.

           "How many times do I have to tell you again and again .. not to be repetitive?"

[reply]
        Thanks NetWallah,

        I will give that a try at first opportunity.

        Regards,

        k_grdn

[reply]

Back to Seekers of Perl Wisdom