How to Decode UDP packets got from libpcap using Net::Pcap

perl Wed, 05 May 2010 05:31:51 -0700

> I have used libpcap to capture data using Net::Pcap module ... and now
> ... i have been stuck with decoding... here is the code that i have
> used http://cpansearch.perl.org/src/SAPER/Net-Pcap-0.16/eg/pcapdump
> #!/usr/bin/perl use strict; use Data::Hexdumper; use File::Basename;
> use Getopt::Long qw(:config no_auto_abbrev); use Net::Pcap
> qw(:functions); use NetPacket::Ethernet qw(:types); use NetPacket::IP
> qw(:protos); use NetPacket::TCP; use Pod::Usage; use Socket
> qw(inet_ntoa); $::PROGRAM = basename($0); $::VERSION = "0.01"; #
> globals my $dumper = undef; my %icmp = ( ICMP_ECHO => "echo",
> ICMP_ECHOREPLY => "echo-reply", ICMP_IREQ => "ireq", ICMP_IREQREPLY =>
> "ireq-reply", ICMP_MASREQ => "mask", ICMP_MASKREPLY => "mask-reply",
> ICMP_PARAMPROB => "param-prob", ICMP_REDIRECT => "redirect",
> ICMP_ROUTERADVERT => "router-advert", ICMP_ROUTERSOLICIT =>
> "router-solicit", ICMP_SOURCEQUENCH => "source-quench", ICMP_TIMXCEED
> => "time-exceeded", ICMP_TSTAMP => "timestamp", ICMP_TSTAMPREPLY =>
> "timestamp-reply", ICMP_UNREACH => "unreachable", ); MAIN: { run(); }
> sub run { $|++; # get options my %options = ( count => 10, promisc =>
> 0, snaplen => 256, timeout => 10, ); GetOptions(\%options, qw{ help|h!
> version|V! count|c=i interface|i=s promisc|p! snaplen|s=i writeto|w=s
> }) or pod2usage(); pod2usage({ -verbose => 2, -exitval => 0 }) if
> $options{help}; print "$::PROGRAM v$::VERSION\n" if $options{version};
> my ($err, $net, $mask, $filter); my $dev = $options{interface} ||
> pcap_lookupdev(\$err); my $filter_str = join " ", @ARGV; # open the
> interface my $pcap = pcap_open_live($dev, @options{qw(snaplen promisc
> timeou +t)}, \$err) or die "fatal: can't open network device $dev:
> $err ", "(do you have the privileges?)\n"; if ($filter_str) { #
> compile the filter pcap_compile($pcap, \$filter, $filter_str, 1, 0) ==
> 0 or die "fatal: filter error\n"; pcap_setfilter($pcap, $filter); } if
> ($options{writeto}) { $dumper = pcap_dump_open($pcap,
> $options{writeto}) or die "fatal: can't write to file
> '$options{writeto}': $! +\n"; } # print some information about the
> interface we're currently using pcap_lookupnet($dev, \$net, \$mask,
> \$err); print "listening on $dev (", dotquad($net), "/",
> dotquad($mask), " +)", ", capture size $options{snaplen} bytes"; print
> ", filtering on $filter_str" if $filter_str; print $/; # enter the
> main loop pcap_loop($pcap, $options{count}, \&process_packet, '');
> pcap_close($pcap); } sub process_packet { my ($user_data, $header,
> $packet) = @_; my ($proto, $payload, $src_ip, $src_port, $dest_ip,
> $dest_port, $f +lags); printf "packet: len=%s, caplen=%s, tv_sec=%s,
> tv_usec=%s\n", map { $header->{$_} } qw(len caplen tv_sec tv_usec); #
> dump the packet if asked to do so pcap_dump($dumper, $header, $packet)
> if $dumper; # decode the Ethernet frame my $ethframe =
> NetPacket::Ethernet->decode($packet); if ($ethframe->{type} ==
> ETH_TYPE_IP) { # decode the IP payload my $ipframe =
> NetPacket::IP->decode($ethframe->{data}); $src_ip =
> $ipframe->{src_ip}; $dest_ip = $ipframe->{dest_ip}; if
> ($ipframe->{proto} == IP_PROTO_ICMP) { my $icmpframe =
> NetPacket::ICMP->decode($ipframe->{data}); $proto = "ICMP"; $payload =
> $icmpframe->{data}; } elsif ($ipframe->{proto} == IP_PROTO_TCP) { my
> $tcpframe = NetPacket::TCP->decode($ipframe->{data}); $proto = "TCP";
> $src_port = $tcpframe->{src_port}; $dest_port =
> $tcpframe->{dest_port}; $payload = $tcpframe->{data}; $flags =
> flags_of($tcpframe->{flags}); } elsif ($ipframe->{proto} ==
> IP_PROTO_UDP) { my $udpframe =
> NetPacket::UDP->decode($ipframe->{data}); $proto = "TCP"; $src_port =
> $udpframe->{src_port}; $dest_port = $udpframe->{dest_port}; $payload =
> $udpframe->{data}; } printf "IP:%s %s:%d -> %s:%d (%s)\n", $proto,
> $src_ip, $src_port, $dest_ip, $dest_port, $flags; print hexdump(data
> => $payload, start_position => 0) if length + $payload; print $/; } }
> sub flags_of { my ($flags) = @_; my @strarr = (); push @strarr, "urg"
> if $flags & URG; push @strarr, "ack" if $flags & ACK; push @strarr,
> "psh" if $flags & PSH; push @strarr, "fin" if $flags & FIN; push
> @strarr, "syn" if $flags & SYN; push @strarr, "rst" if $flags & RST;
> push @strarr, "ece" if $flags & ECE; push @strarr, "cwr" if $flags &
> CWR; return join ",", @strarr } sub dotquad { return inet_ntoa(
> pack("I", $_[0]) ) } __END__ =head1 NAME pcapdump - Dump packets from
> the network =head1 SYNOPSIS pcapdump [-c count] [-i interface] [-s
> snaplen] [-w file] [express +ion] pcapdump --help pcapdump --version
> =head1 OPTIONS =over =item B<-c>, B<--count> I<N> Exit after receiving
> I<N> packets. =item B<-i>, B<--interface> I<device> Listen on the
> specified interface. If unspecified, the program will us +e the
> interface returned by C<pcap_lookupdev()>. =item B<-s>, B<--snaplen>
> I<L> Capture I<L> bytes of data for each packet. Defaults to 256.
> =item B<-w>, B<--writeto> I<file> =back =head1 DESCRIPTION B<pcapdump>
> mimics the very basic features of B<tcpdump(1)> and provid +es a good
> example of how to use C<Net::Pcap>. =head1 AUTHOR SE<eacute>bastien
> Aperghis-Tramoni, E<lt>sebast...@aperghis.nete
> <mailto:sebast...@aperghis.nete><gt> =head1 COPYRIGHT Copyright (C)
> 2005, 2006, 2007, 2008 SE<eacute>bastien Aperghis-Tramon +i. All
> rights reserved. This program is free software; you can redistribute
> it and/or modify it under the same terms as Perl itself. =cut
> [download]
> <http://www.perlmonks.org/?abspart=1;displaytype=displaycode;node_id=838339;part=1>
> i have modified this one to filter some post's But now i ran into some
> Decoding problem ... the decode module i got decodes in this format




0x0000 : 36 31 39 31 32 22 20 74 69 74 6C 65 3D 22 47 72 : 61912".title="Gr
  0x0010 : 61 6E 64 46 61 74 68 65 72 27 73 20 68 6F 6D 65 :
andFather's.home
  0x0020 : 20 6E 6F 64 65 2E 20 4D 65 6D 62 65 72 20 6F 66 :
.node..Member.of
  0x0030 : 3A 20 6A 61 6E 69 74 6F 72 73 2C 20 70 6D 64 65 :
:.janitors,.pmde
  0x0040 : 76 2E 22 3E 47 72 61 6E 64 46 61 74 68 65 72 3C :
v.">GrandFather<
  0x0050 : 2F 61 3E 3C 62 72 20 2F 3E 3C 2F 73 70 61 6E 3E :
/a><br./></span>
  0x0060 : 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F :
</span></span></
  0x0070 : 73 70 61 6E 3E 0A 3C 73 70 61 6E 20 63 6C 61 73 :
span>.<span.clas
  0x0080 : 73 3D 27 6F 64 64 2D 72 6F 77 27 3E 3C 73 70 61 :
s='odd-row'><spa
  0x0090 : 6E 20 63 6C 61 73 73 3D 27 69 74 65 6D 2D 30 30 :
n.class='item-00
  0x00A0 : 31 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 :
1'><span.class='
  0x00B0 : 75 73 65 72 2D 6C 65 76 65 6C 2D 31 39 27 3E 3C :
user-level-19'><
  0x00C0 : 73 70 61 6E 20 63 6C 61 73 73 3D 27 75 73 65 72 :
span.class='user
  0x00D0 : 2D 33 32 34 37 36 33 27 3E 3C 61 20 68 72 65 66 :
-324763'><a.href
  0x00E0 : 3D 22 3F 6E 6F 64 65 5F 69 64 3D 33 32 34 37 36 :
="?node_id=32476
  0x00F0 : 33 22 20 74 69 74 6C 65 3D 22 6D 61 72 74 6F 27 :
3".title="marto'
  0x0100 : 73 20 68 6F 6D 65 20 6E 6F 64 65 22 3E 6D 61 72 :
s.home.node">mar
  0x0110 : 74 6F 3C 2F 61 3E 3C 62 72 20 2F 3E 3C 2F 73 70 :
to</a><br./></sp
  0x0120 : 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E :
an></span></span
  0x0130 : 3E 3C 2F 73 70 61 6E 3E 0A 3C 73 70 61 6E 20 63 :
></span>.<span.c
  0x0140 : 6C 61 73 73 3D 27 65 76 65 6E 2D 72 6F 77 27 3E :
lass='even-row'>
  0x0150 : 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 69 74 65 :
<span.class='ite
  0x0160 : 6D 2D 30 30 32 27 3E 3C 73 70 61 6E 20 63 6C 61 :
m-002'><span.cla
  0x0170 : 73 73 3D 27 75 73 65 72 2D 6C 65 76 65 6C 2D 31 :
ss='user-level-1
  0x0180 : 39 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 :
9'><span.class='
  0x0190 : 75 73 65 72 2D 33 36 38 31 38 39 27 3E 3C 61 20 :
user-368189'><a.
  0x01A0 : 68 72 65 66 3D 22 3F 6E 6F 64 65 5F 69 64 3D 33 :
href="?node_id=3
  0x01B0 : 36 38 31 38 39 22 20 74 69 74 6C 65 3D 22 77 66 :
68189".title="wf
  0x01C0 : 73 70 27 73 20 68 6F 6D 65 20 6E 6F 64 65 22 3E :
sp's.home.node">
  0x01D0 : 77 66 73 70 3C 2F 61 3E 3C 62 72 20 2F 3E 3C 2F :
wfsp</a><br./></
  0x01E0 : 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 :
span></span></sp
  0x01F0 : 61 6E 3E 3C 2F 73 70 61 6E 3E 0A 3C 73 70 61 6E :
an></span>.<span
  0x0200 : 20 63 6C 61 73 73 3D 27 6F 64 64 2D 72 6F 77 27 :
.class='odd-row'
  0x0210 : 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 69 74 :
><span.class='it
  0x0220 : 65 6D 2D 30 30 33 27 3E 3C 73 70 61 6E 20 63 6C :
em-003'><span.cl
  0x0230 : 61 73 73 3D 27 75 73 65 72 2D 6C 65 76 65 6C 2D :
ass='user-level-
  0x0240 : 31 37 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D :
17'><span.class=
  0x0250 : 27 75 73 65 72 2D 37 30 39 32 39 27 3E 3C 61 20 :
'user-70929'><a.
  0x0260 : 68 72 65 66 3D 22 3F 6E 6F 64 65 5F 69 64 3D 37 :
href="?node_id=7
  0x0270 : 30 39 32 39 22 20 74 69 74 6C 65 3D 22 61 74 63 :
0929".title="atc
  0x0280 : 72 6F 66 74 27 73 20 68 6F 6D 65 20 6E 6F 64 65 :
roft's.home.node
  0x0290 : 22 3E 61 74 63 72 6F 66 74 3C 2F 61 3E 3C 62 72 :
">atcroft</a><br
  0x02A0 : 20 2F 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E :
./></span></span
  0x02B0 : 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 0A :
></span></span>.
  0x02C0 : 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 65 76 65 :
<span.class='eve
  0x02D0 : 6E 2D 72 6F 77 27 3E 3C 73 70 61 6E 20 63 6C 61 :
n-row'><span.cla
  0x02E0 : 73 73 3D 27 69 74 65 6D 2D 30 30 34 27 3E 3C 73 :
ss='item-004'><s
  0x02F0 : 70 61 6E 20 63 6C 61 73 73 3D 27 75 73 65 72 2D :
pan.class='user-
  0x0300 : 6C 65 76 65 6C 2D 31 35 27 3E 3C 73 70 61 6E 20 :
level-15'><span.
  0x0310 : 63 6C 61 73 73 3D 27 75 73 65 72 2D 37 33 34 34 :
class='user-7344
  0x0320 : 31 27 3E 3C 61 20 68 72 65 66 3D 22 3F 6E 6F 64 :
1'><a.href="?nod
  0x0330 : 65 5F 69 64 3D 37 33 34 34 31 22 20 74 69 74 6C :
e_id=73441".titl
  0x0340 : 65 3D 22 68 65 72 76 65 75 73 27 73 20 68 6F 6D :
e="herveus's.hom
  0x0350 : 65 20 6E 6F 64 65 22 3E 68 65 72 76 65 75 73 3C :
e.node">herveus<
  0x0360 : 2F 61 3E 3C 62 72 20 2F 3E 3C 2F 73 70 61 6E 3E :
/a><br./></span>
  0x0370 : 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F :
</span></span></
  0x0380 : 73 70 61 6E 3E 0A 3C 73 70 61 6E 20 63 6C 61 73 :
span>.<span.clas
  0x0390 : 73 3D 27 6F 64 64 2D 72 6F 77 27 3E 3C 73 70 61 :
s='odd-row'><spa
  0x03A0 : 6E 20 63 6C 61 73 73 3D 27 69 74 65 6D 2D 30 30 :
n.class='item-00
  0x03B0 : 35 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 :
5'><span.class='
  0x03C0 : 75 73 65 72 2D 6C 65 76 65 6C 2D 31 34 27 3E 3C :
user-level-14'><
  0x03D0 : 73 70 61 6E 20 63 6C 61 73 73 3D 27 75 73 65 72 :
span.class='user
  0x03E0 : 2D 36 39 34 39 31 34 27 3E 3C 61 20 68 72 65 66 :
-694914'><a.href
  0x03F0 : 3D 22 3F 6E 6F 64 65 5F 69 64 3D 36 39 34 39 31 :
="?node_id=69491
  0x0400 : 34 22 20 74 69 74 6C 65 3D 22 64 48 61 72 72 79 :
4".title="dHarry
  0x0410 : 27 73 20 68 6F 6D 65 20 6E 6F 64 65 22 3E 64 48 :
's.home.node">dH
  0x0420 : 61 72 72 79 3C 2F 61 3E 3C 62 72 20 2F 3E 3C 2F :
arry</a><br./></
  0x0430 : 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 :
span></span></sp
  0x0440 : 61 6E 3E 3C 2F 73 70 61 6E 3E 0A 3C 73 70 61 6E :
an></span>.<span
  0x0450 : 20 63 6C 61 73 73 3D 27 65 76 65 6E 2D 72 6F 77 :
.class='even-row
  0x0460 : 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 69 :
'><span.class='i
  0x0470 : 74 65 6D 2D 30 30 36 27 3E 3C 73 70 61 6E 20 63 :
tem-006'><span.c
  0x0480 : 6C 61 73 73 3D 27 75 73 65 72 2D 6C 65 76 65 6C :
lass='user-level
  0x0490 : 2D 31 34 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 :
-14'><span.class
  0x04A0 : 3D 27 75 73 65 72 2D 34 39 35 36 31 37 27 3E 3C :
='user-495617'><
  0x04B0 : 61 20 68 72 65 66 3D 22 3F 6E 6F 64 65 5F 69 64 :
a.href="?node_id
  0x04C0 : 3D 34 39 35 36 31 37 22 20 74 69 74 6C 65 3D 22 :
=495617".title="
  0x04D0 : 50 75 6E 69 74 68 61 27 73 20 68 6F 6D 65 20 6E :
Punitha's.home.n
  0x04E0 : 6F 64 65 22 3E 50 75 6E 69 74 68 61 3C 2F 61 3E :
ode">Punitha</a>
  0x04F0 : 3C 62 72 20 2F 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 :
<br./></span></s
  0x0500 : 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 :
pan></span></spa
  0x0510 : 6E 3E 0A 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 :
n>.<span.class='
  0x0520 : 6F 64 64 2D 72 6F 77 27 3E 3C 73 70 61 6E 20 63 :
odd-row'><span.c
  0x0530 : 6C 61 73 73 3D 27 69 74 65 6D 2D 30 30 37 27 3E :
lass='item-007'>
  0x0540 : 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 75 73 65 :
<span.class='use
  0x0550 : 72 2D 6C 65 76 65 6C 2D 31 34 27 3E 3C 73 70 61 :
r-level-14'><spa
  0x0560 : 6E 20 63 6C 61 73 73 3D 27 75 73 65 72 2D 32 37 :
n.class='user-27
  0x0570 : 32 36 38 32 27 3E 3C 61 20 68 72 65 66 3D 22 3F :
2682'><a.href="?
  0x0580 : 6E 6F 64 65 5F 69 64 3D                         : node_id=
IP:TCP 209.197.123.153:80 -> 10.0.0.2:51950 (ack)
data61912" title="GrandFather's home node. Member of: janitors,
pmdev.">GrandFather</a><br /></span></span></span></span>
<span class='odd-row'><span class='item-001'><span
class='user-level-19'><span class='user-324763'><a
href="?node_id=324763" title="marto's home node">marto</a><br
/></span></span></span></span>
<span class='even-row'><span class='item-002'><span
class='user-level-19'><span class='user-368189'><a
href="?node_id=368189" title="wfsp's home node">wfsp</a><br
/></span></span></span></span>
<span class='odd-row'><span class='item-003'><span
class='user-level-17'><span class='user-70929'><a href="?node_id=70929"
title="atcroft's home node">atcroft</a><br /></span></span></span></span>
<span class='even-row'><span class='item-004'><span
class='user-level-15'><span class='user-73441'><a href="?node_id=73441"
title="herveus's home node">herveus</a><br /></span></span></span></span>
<span class='odd-row'><span class='item-005'><span
class='user-level-14'><span class='user-694914'><a
href="?node_id=694914" title="dHarry's home node">dHarry</a><br
/></span></span></span></span>
<span class='even-row'><span class='item-006'><span
class='user-level-14'><span class='user-495617'><a
href="?node_id=495617" title="Punitha's home node">Punitha</a><br
/></span></span></span></span>
<span class='odd-row'><span class='item-007'><span
class='user-level-14'><span class='user-272682'><a href="?node_id=

This is my TCP OUtput ... First one was the Hex output .... but below
one was the normal out out with out Hexcode ... TCP is woorks good ...
UDP is making probelm here is the UDP output in normal form and Hex
output ... Hexput was bit complex .....


> IP:UDP 10.0.0.2:34214 -> 8.8.8.8:53 ()
>   0x0000 : D0 E6 01 00 00 01 00 00 00 00 00 00 06 67 6F 6F :
> .............goo
>   0x0010 : 67 6C 65 02 63 6F 02 69 6E 00 00 01 00 01       :
> gle.co.in.....
> data&#65533;&#65533;googlecoin
> IP:UDP 8.8.8.8:53 -> 10.0.0.2:34214 ()
>   0x0000 : D0 E6 81 80 00 01 00 01 00 00 00 00 06 67 6F 6F :
> .............goo
>   0x0010 : 67 6C 65 02 63 6F 02 69 6E 00 00 01 00 01 C0 0C :
> gle.co.in.......
>   0x0020 : 00 01 00 01 00 00 01 2C 00 04 D1 55 E7 68       :
> .......,...U.h
> data&#65533;&#24640;googlecoin&#65533;
>                         ,&#65533;U&#65533;h 


This is an UDP DNS Query .... How can i Decode them ... Any one Please
help me

How to Decode UDP packets got from libpcap using Net::Pcap

Reply via email to