Hello perl gurus,

I'm fairly new to Perl, but have chosen it for something I'm working on now as it seems to be the right tool for the job: I have some pcap files which I want to perform some analysis on. I want to:

i) Reconstruct TCP flows
ii) Have access to all headers + payloads of packets within each flow

So far I've found Net::TcpDumpLog which has allowed me to extract individual packets (headers + payload) from pcap files fine. But I don't want to manually rebuild sessions (as I'm sure there's a better way). The code for that is here -> http://perl.pastebin.com/m79529a69

Now I'm hoping someone much smarter than me can shove me in the right direction about how to reconstruct flows. My overall goal is to have a file output which has something like the following, one per line: 

flow_num
IP_src
IP_dest
TCP_srcPort
TCP_dstPort
num_of_packets_in_flow
avg_packet_payload_size
avg_packet_interarrival_time

[download]

I found a Linux tool called tcpflow[1], but it reconstructs flows with minimal packet information. Next I found a package called Net::Analysis[2] which I think may be the solution, but I'm struggling to understand how to actually use it, as I'm not sure how modules, interfaces, classes etc work in Perl. I see that there is a class called TCPMonologue which I *think* is what I need to use, along with the Listener::TCP module (already I'm confused between classes and modules).

To pseudo code what I want to do:

@monologues = new monologues("capture.dump");
foreach $monologue (@monologues){
  foreach $packet ($monologue){
    //print and create stats on header information and payload etc
  }
}

[download]
There seems to be some sort of command line interface from reading the documentation:

narcos@host:~/$perl -MNet::Analysis -e main TCP,v=2 foo.dump

...gives me almost what I want, but I can't figure out how to write a script as opposed to using this command line thing. Sorry if I'm asking silly questions, I'm feeling a bit confused by all of this. I would *greatly* appreciate any help you could give me.


Many thanks,
Glenn

[1] http://www.circlemud.org/~jelson/software/tcpflow/
[2] http://search.cpan.org/~worrall/Net-Analysis/

[download]

In reply to TCP session recreation from pcap files by narcos

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.