> I have used libpcap to capture data using Net::Pcap module ... and now > ... i have been stuck with decoding... here is the code that i have > used http://cpansearch.perl.org/src/SAPER/Net-Pcap-0.16/eg/pcapdump > #!/usr/bin/perl use strict; use Data::Hexdumper; use File::Basename; > use Getopt::Long qw(:config no_auto_abbrev); use Net::Pcap > qw(:functions); use NetPacket::Ethernet qw(:types); use NetPacket::IP > qw(:protos); use NetPacket::TCP; use Pod::Usage; use Socket > qw(inet_ntoa); $::PROGRAM = basename($0); $::VERSION = "0.01"; # > globals my $dumper = undef; my %icmp = ( ICMP_ECHO => "echo", > ICMP_ECHOREPLY => "echo-reply", ICMP_IREQ => "ireq", ICMP_IREQREPLY => > "ireq-reply", ICMP_MASREQ => "mask", ICMP_MASKREPLY => "mask-reply", > ICMP_PARAMPROB => "param-prob", ICMP_REDIRECT => "redirect", > ICMP_ROUTERADVERT => "router-advert", ICMP_ROUTERSOLICIT => > "router-solicit", ICMP_SOURCEQUENCH => "source-quench", ICMP_TIMXCEED > => "time-exceeded", ICMP_TSTAMP => "timestamp", ICMP_TSTAMPREPLY => > "timestamp-reply", ICMP_UNREACH => "unreachable", ); MAIN: { run(); } > sub run { $|++; # get options my %options = ( count => 10, promisc => > 0, snaplen => 256, timeout => 10, ); GetOptions(\%options, qw{ help|h! > version|V! count|c=i interface|i=s promisc|p! snaplen|s=i writeto|w=s > }) or pod2usage(); pod2usage({ -verbose => 2, -exitval => 0 }) if > $options{help}; print "$::PROGRAM v$::VERSION\n" if $options{version}; > my ($err, $net, $mask, $filter); my $dev = $options{interface} || > pcap_lookupdev(\$err); my $filter_str = join " ", @ARGV; # open the > interface my $pcap = pcap_open_live($dev, @options{qw(snaplen promisc > timeou +t)}, \$err) or die "fatal: can't open network device $dev: > $err ", "(do you have the privileges?)\n"; if ($filter_str) { # > compile the filter pcap_compile($pcap, \$filter, $filter_str, 1, 0) == > 0 or die "fatal: filter error\n"; pcap_setfilter($pcap, $filter); } if > ($options{writeto}) { $dumper = pcap_dump_open($pcap, > $options{writeto}) or die "fatal: can't write to file > '$options{writeto}': $! +\n"; } # print some information about the > interface we're currently using pcap_lookupnet($dev, \$net, \$mask, > \$err); print "listening on $dev (", dotquad($net), "/", > dotquad($mask), " +)", ", capture size $options{snaplen} bytes"; print > ", filtering on $filter_str" if $filter_str; print $/; # enter the > main loop pcap_loop($pcap, $options{count}, \&process_packet, ''); > pcap_close($pcap); } sub process_packet { my ($user_data, $header, > $packet) = @_; my ($proto, $payload, $src_ip, $src_port, $dest_ip, > $dest_port, $f +lags); printf "packet: len=%s, caplen=%s, tv_sec=%s, > tv_usec=%s\n", map { $header->{$_} } qw(len caplen tv_sec tv_usec); # > dump the packet if asked to do so pcap_dump($dumper, $header, $packet) > if $dumper; # decode the Ethernet frame my $ethframe = > NetPacket::Ethernet->decode($packet); if ($ethframe->{type} == > ETH_TYPE_IP) { # decode the IP payload my $ipframe = > NetPacket::IP->decode($ethframe->{data}); $src_ip = > $ipframe->{src_ip}; $dest_ip = $ipframe->{dest_ip}; if > ($ipframe->{proto} == IP_PROTO_ICMP) { my $icmpframe = > NetPacket::ICMP->decode($ipframe->{data}); $proto = "ICMP"; $payload = > $icmpframe->{data}; } elsif ($ipframe->{proto} == IP_PROTO_TCP) { my > $tcpframe = NetPacket::TCP->decode($ipframe->{data}); $proto = "TCP"; > $src_port = $tcpframe->{src_port}; $dest_port = > $tcpframe->{dest_port}; $payload = $tcpframe->{data}; $flags = > flags_of($tcpframe->{flags}); } elsif ($ipframe->{proto} == > IP_PROTO_UDP) { my $udpframe = > NetPacket::UDP->decode($ipframe->{data}); $proto = "TCP"; $src_port = > $udpframe->{src_port}; $dest_port = $udpframe->{dest_port}; $payload = > $udpframe->{data}; } printf "IP:%s %s:%d -> %s:%d (%s)\n", $proto, > $src_ip, $src_port, $dest_ip, $dest_port, $flags; print hexdump(data > => $payload, start_position => 0) if length + $payload; print $/; } } > sub flags_of { my ($flags) = @_; my @strarr = (); push @strarr, "urg" > if $flags & URG; push @strarr, "ack" if $flags & ACK; push @strarr, > "psh" if $flags & PSH; push @strarr, "fin" if $flags & FIN; push > @strarr, "syn" if $flags & SYN; push @strarr, "rst" if $flags & RST; > push @strarr, "ece" if $flags & ECE; push @strarr, "cwr" if $flags & > CWR; return join ",", @strarr } sub dotquad { return inet_ntoa( > pack("I", $_[0]) ) } __END__ =head1 NAME pcapdump - Dump packets from > the network =head1 SYNOPSIS pcapdump [-c count] [-i interface] [-s > snaplen] [-w file] [express +ion] pcapdump --help pcapdump --version > =head1 OPTIONS =over =item B<-c>, B<--count> I<N> Exit after receiving > I<N> packets. =item B<-i>, B<--interface> I<device> Listen on the > specified interface. If unspecified, the program will us +e the > interface returned by C<pcap_lookupdev()>. =item B<-s>, B<--snaplen> > I<L> Capture I<L> bytes of data for each packet. Defaults to 256. > =item B<-w>, B<--writeto> I<file> =back =head1 DESCRIPTION B<pcapdump> > mimics the very basic features of B<tcpdump(1)> and provid +es a good > example of how to use C<Net::Pcap>. =head1 AUTHOR SE<eacute>bastien > Aperghis-Tramoni, E<lt>sebast...@aperghis.nete > <mailto:sebast...@aperghis.nete><gt> =head1 COPYRIGHT Copyright (C) > 2005, 2006, 2007, 2008 SE<eacute>bastien Aperghis-Tramon +i. All > rights reserved. This program is free software; you can redistribute > it and/or modify it under the same terms as Perl itself. =cut > [download] > <http://www.perlmonks.org/?abspart=1;displaytype=displaycode;node_id=838339;part=1> > i have modified this one to filter some post's But now i ran into some > Decoding problem ... the decode module i got decodes in this format
0x0000 : 36 31 39 31 32 22 20 74 69 74 6C 65 3D 22 47 72 : 61912".title="Gr 0x0010 : 61 6E 64 46 61 74 68 65 72 27 73 20 68 6F 6D 65 : andFather's.home 0x0020 : 20 6E 6F 64 65 2E 20 4D 65 6D 62 65 72 20 6F 66 : .node..Member.of 0x0030 : 3A 20 6A 61 6E 69 74 6F 72 73 2C 20 70 6D 64 65 : :.janitors,.pmde 0x0040 : 76 2E 22 3E 47 72 61 6E 64 46 61 74 68 65 72 3C : v.">GrandFather< 0x0050 : 2F 61 3E 3C 62 72 20 2F 3E 3C 2F 73 70 61 6E 3E : /a><br./></span> 0x0060 : 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F : </span></span></ 0x0070 : 73 70 61 6E 3E 0A 3C 73 70 61 6E 20 63 6C 61 73 : span>.<span.clas 0x0080 : 73 3D 27 6F 64 64 2D 72 6F 77 27 3E 3C 73 70 61 : s='odd-row'><spa 0x0090 : 6E 20 63 6C 61 73 73 3D 27 69 74 65 6D 2D 30 30 : n.class='item-00 0x00A0 : 31 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 : 1'><span.class=' 0x00B0 : 75 73 65 72 2D 6C 65 76 65 6C 2D 31 39 27 3E 3C : user-level-19'>< 0x00C0 : 73 70 61 6E 20 63 6C 61 73 73 3D 27 75 73 65 72 : span.class='user 0x00D0 : 2D 33 32 34 37 36 33 27 3E 3C 61 20 68 72 65 66 : -324763'><a.href 0x00E0 : 3D 22 3F 6E 6F 64 65 5F 69 64 3D 33 32 34 37 36 : ="?node_id=32476 0x00F0 : 33 22 20 74 69 74 6C 65 3D 22 6D 61 72 74 6F 27 : 3".title="marto' 0x0100 : 73 20 68 6F 6D 65 20 6E 6F 64 65 22 3E 6D 61 72 : s.home.node">mar 0x0110 : 74 6F 3C 2F 61 3E 3C 62 72 20 2F 3E 3C 2F 73 70 : to</a><br./></sp 0x0120 : 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E : an></span></span 0x0130 : 3E 3C 2F 73 70 61 6E 3E 0A 3C 73 70 61 6E 20 63 : ></span>.<span.c 0x0140 : 6C 61 73 73 3D 27 65 76 65 6E 2D 72 6F 77 27 3E : lass='even-row'> 0x0150 : 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 69 74 65 : <span.class='ite 0x0160 : 6D 2D 30 30 32 27 3E 3C 73 70 61 6E 20 63 6C 61 : m-002'><span.cla 0x0170 : 73 73 3D 27 75 73 65 72 2D 6C 65 76 65 6C 2D 31 : ss='user-level-1 0x0180 : 39 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 : 9'><span.class=' 0x0190 : 75 73 65 72 2D 33 36 38 31 38 39 27 3E 3C 61 20 : user-368189'><a. 0x01A0 : 68 72 65 66 3D 22 3F 6E 6F 64 65 5F 69 64 3D 33 : href="?node_id=3 0x01B0 : 36 38 31 38 39 22 20 74 69 74 6C 65 3D 22 77 66 : 68189".title="wf 0x01C0 : 73 70 27 73 20 68 6F 6D 65 20 6E 6F 64 65 22 3E : sp's.home.node"> 0x01D0 : 77 66 73 70 3C 2F 61 3E 3C 62 72 20 2F 3E 3C 2F : wfsp</a><br./></ 0x01E0 : 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 : span></span></sp 0x01F0 : 61 6E 3E 3C 2F 73 70 61 6E 3E 0A 3C 73 70 61 6E : an></span>.<span 0x0200 : 20 63 6C 61 73 73 3D 27 6F 64 64 2D 72 6F 77 27 : .class='odd-row' 0x0210 : 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 69 74 : ><span.class='it 0x0220 : 65 6D 2D 30 30 33 27 3E 3C 73 70 61 6E 20 63 6C : em-003'><span.cl 0x0230 : 61 73 73 3D 27 75 73 65 72 2D 6C 65 76 65 6C 2D : ass='user-level- 0x0240 : 31 37 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D : 17'><span.class= 0x0250 : 27 75 73 65 72 2D 37 30 39 32 39 27 3E 3C 61 20 : 'user-70929'><a. 0x0260 : 68 72 65 66 3D 22 3F 6E 6F 64 65 5F 69 64 3D 37 : href="?node_id=7 0x0270 : 30 39 32 39 22 20 74 69 74 6C 65 3D 22 61 74 63 : 0929".title="atc 0x0280 : 72 6F 66 74 27 73 20 68 6F 6D 65 20 6E 6F 64 65 : roft's.home.node 0x0290 : 22 3E 61 74 63 72 6F 66 74 3C 2F 61 3E 3C 62 72 : ">atcroft</a><br 0x02A0 : 20 2F 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E : ./></span></span 0x02B0 : 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 0A : ></span></span>. 0x02C0 : 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 65 76 65 : <span.class='eve 0x02D0 : 6E 2D 72 6F 77 27 3E 3C 73 70 61 6E 20 63 6C 61 : n-row'><span.cla 0x02E0 : 73 73 3D 27 69 74 65 6D 2D 30 30 34 27 3E 3C 73 : ss='item-004'><s 0x02F0 : 70 61 6E 20 63 6C 61 73 73 3D 27 75 73 65 72 2D : pan.class='user- 0x0300 : 6C 65 76 65 6C 2D 31 35 27 3E 3C 73 70 61 6E 20 : level-15'><span. 0x0310 : 63 6C 61 73 73 3D 27 75 73 65 72 2D 37 33 34 34 : class='user-7344 0x0320 : 31 27 3E 3C 61 20 68 72 65 66 3D 22 3F 6E 6F 64 : 1'><a.href="?nod 0x0330 : 65 5F 69 64 3D 37 33 34 34 31 22 20 74 69 74 6C : e_id=73441".titl 0x0340 : 65 3D 22 68 65 72 76 65 75 73 27 73 20 68 6F 6D : e="herveus's.hom 0x0350 : 65 20 6E 6F 64 65 22 3E 68 65 72 76 65 75 73 3C : e.node">herveus< 0x0360 : 2F 61 3E 3C 62 72 20 2F 3E 3C 2F 73 70 61 6E 3E : /a><br./></span> 0x0370 : 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F : </span></span></ 0x0380 : 73 70 61 6E 3E 0A 3C 73 70 61 6E 20 63 6C 61 73 : span>.<span.clas 0x0390 : 73 3D 27 6F 64 64 2D 72 6F 77 27 3E 3C 73 70 61 : s='odd-row'><spa 0x03A0 : 6E 20 63 6C 61 73 73 3D 27 69 74 65 6D 2D 30 30 : n.class='item-00 0x03B0 : 35 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 : 5'><span.class=' 0x03C0 : 75 73 65 72 2D 6C 65 76 65 6C 2D 31 34 27 3E 3C : user-level-14'>< 0x03D0 : 73 70 61 6E 20 63 6C 61 73 73 3D 27 75 73 65 72 : span.class='user 0x03E0 : 2D 36 39 34 39 31 34 27 3E 3C 61 20 68 72 65 66 : -694914'><a.href 0x03F0 : 3D 22 3F 6E 6F 64 65 5F 69 64 3D 36 39 34 39 31 : ="?node_id=69491 0x0400 : 34 22 20 74 69 74 6C 65 3D 22 64 48 61 72 72 79 : 4".title="dHarry 0x0410 : 27 73 20 68 6F 6D 65 20 6E 6F 64 65 22 3E 64 48 : 's.home.node">dH 0x0420 : 61 72 72 79 3C 2F 61 3E 3C 62 72 20 2F 3E 3C 2F : arry</a><br./></ 0x0430 : 73 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 : span></span></sp 0x0440 : 61 6E 3E 3C 2F 73 70 61 6E 3E 0A 3C 73 70 61 6E : an></span>.<span 0x0450 : 20 63 6C 61 73 73 3D 27 65 76 65 6E 2D 72 6F 77 : .class='even-row 0x0460 : 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 69 : '><span.class='i 0x0470 : 74 65 6D 2D 30 30 36 27 3E 3C 73 70 61 6E 20 63 : tem-006'><span.c 0x0480 : 6C 61 73 73 3D 27 75 73 65 72 2D 6C 65 76 65 6C : lass='user-level 0x0490 : 2D 31 34 27 3E 3C 73 70 61 6E 20 63 6C 61 73 73 : -14'><span.class 0x04A0 : 3D 27 75 73 65 72 2D 34 39 35 36 31 37 27 3E 3C : ='user-495617'>< 0x04B0 : 61 20 68 72 65 66 3D 22 3F 6E 6F 64 65 5F 69 64 : a.href="?node_id 0x04C0 : 3D 34 39 35 36 31 37 22 20 74 69 74 6C 65 3D 22 : =495617".title=" 0x04D0 : 50 75 6E 69 74 68 61 27 73 20 68 6F 6D 65 20 6E : Punitha's.home.n 0x04E0 : 6F 64 65 22 3E 50 75 6E 69 74 68 61 3C 2F 61 3E : ode">Punitha</a> 0x04F0 : 3C 62 72 20 2F 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 : <br./></span></s 0x0500 : 70 61 6E 3E 3C 2F 73 70 61 6E 3E 3C 2F 73 70 61 : pan></span></spa 0x0510 : 6E 3E 0A 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 : n>.<span.class=' 0x0520 : 6F 64 64 2D 72 6F 77 27 3E 3C 73 70 61 6E 20 63 : odd-row'><span.c 0x0530 : 6C 61 73 73 3D 27 69 74 65 6D 2D 30 30 37 27 3E : lass='item-007'> 0x0540 : 3C 73 70 61 6E 20 63 6C 61 73 73 3D 27 75 73 65 : <span.class='use 0x0550 : 72 2D 6C 65 76 65 6C 2D 31 34 27 3E 3C 73 70 61 : r-level-14'><spa 0x0560 : 6E 20 63 6C 61 73 73 3D 27 75 73 65 72 2D 32 37 : n.class='user-27 0x0570 : 32 36 38 32 27 3E 3C 61 20 68 72 65 66 3D 22 3F : 2682'><a.href="? 0x0580 : 6E 6F 64 65 5F 69 64 3D : node_id= IP:TCP 209.197.123.153:80 -> 10.0.0.2:51950 (ack) data61912" title="GrandFather's home node. Member of: janitors, pmdev.">GrandFather</a><br /></span></span></span></span> <span class='odd-row'><span class='item-001'><span class='user-level-19'><span class='user-324763'><a href="?node_id=324763" title="marto's home node">marto</a><br /></span></span></span></span> <span class='even-row'><span class='item-002'><span class='user-level-19'><span class='user-368189'><a href="?node_id=368189" title="wfsp's home node">wfsp</a><br /></span></span></span></span> <span class='odd-row'><span class='item-003'><span class='user-level-17'><span class='user-70929'><a href="?node_id=70929" title="atcroft's home node">atcroft</a><br /></span></span></span></span> <span class='even-row'><span class='item-004'><span class='user-level-15'><span class='user-73441'><a href="?node_id=73441" title="herveus's home node">herveus</a><br /></span></span></span></span> <span class='odd-row'><span class='item-005'><span class='user-level-14'><span class='user-694914'><a href="?node_id=694914" title="dHarry's home node">dHarry</a><br /></span></span></span></span> <span class='even-row'><span class='item-006'><span class='user-level-14'><span class='user-495617'><a href="?node_id=495617" title="Punitha's home node">Punitha</a><br /></span></span></span></span> <span class='odd-row'><span class='item-007'><span class='user-level-14'><span class='user-272682'><a href="?node_id= This is my TCP OUtput ... First one was the Hex output .... but below one was the normal out out with out Hexcode ... TCP is woorks good ... UDP is making probelm here is the UDP output in normal form and Hex output ... Hexput was bit complex ..... > IP:UDP 10.0.0.2:34214 -> 8.8.8.8:53 () > 0x0000 : D0 E6 01 00 00 01 00 00 00 00 00 00 06 67 6F 6F : > .............goo > 0x0010 : 67 6C 65 02 63 6F 02 69 6E 00 00 01 00 01 : > gle.co.in..... > data��googlecoin > IP:UDP 8.8.8.8:53 -> 10.0.0.2:34214 () > 0x0000 : D0 E6 81 80 00 01 00 01 00 00 00 00 06 67 6F 6F : > .............goo > 0x0010 : 67 6C 65 02 63 6F 02 69 6E 00 00 01 00 01 C0 0C : > gle.co.in....... > 0x0020 : 00 01 00 01 00 00 01 2C 00 04 D1 55 E7 68 : > .......,...U.h > data�恀googlecoin� > ,�U�h This is an UDP DNS Query .... How can i Decode them ... Any one Please help me