pcap -> sniffer

cruxnor · May 19, 2004

Hello,

I'm trying to code a simple sniffer in perl, but the results I get
from pcap aren't those I had expected!
My process sub looks like this:

sub process_pkt {
my($user_data, $hdr, $pkt) = @_;

print "$pkt\n";
}

And the results is something like this:

@ø7À¨K8À¨KÝngóAÍsPúð^3
@ù7À¨K8À¨KÝngóAÍsPúð^3
âmûôuóÚE6ë@ø$À¨K8À¨KÝngóAÍPúÅBÀUSER XXXX

uóQâmûE6ë@ù$À¨K8À¨KÝngóAÍPúÅBÀUSER XXXX

âmûôuóÚE4ë@ø!À¨K8À¨KÝngó¡AÍÄPú¶?PASS XXXX

uóQâmûE4ë@ù!À¨K8À¨KÝngó¡AÍÄPú¶?PASS XXXX

âmûôuóÚE.ë@ø"À¨K8À¨KÝngóAÍòPúq¼XSTAT

uóQâmûE.ë@ù"À¨K8À¨KÝngóAÍòPúq¼XSTAT

âmûôuóÚE.ë!@øÀ¨K8À¨KÝngó³AÎPúc±]LIST

When I sniff the network with ngrep, the result is much more
readable!
The initialization of pcap is the same as in the documentation.

Does anybody has an idea for this problem?
I'm looking for a sniffer like ngrep output-style.

ciau, cruxnor

Anno Siegel · May 21, 2004

cruxnor said:
Hello,

I'm trying to code a simple sniffer in perl, but the results I get
from pcap aren't those I had expected!

Which pcap module are you using? There's Net:

cap and
POE::Component:

cap. There is also Net:

capUtils, but that is
probably part of Net:

cap.

My process sub looks like this:

sub process_pkt {
my($user_data, $hdr, $pkt) = @_;

print "$pkt\n";
}

That routine ignores two arguments and prints the third. How is that
supposed to tell us what you tried?

How is the data in $pkt generated?

And the results is something like this:

@ø7À¨K8À¨KÝngóAÍsPúð^3
@ù7À¨K8À¨KÝngóAÍsPúð^3
âmûôuóÚE6ë@ø$À¨K8À¨KÝngóAÍPúÅBÀUSER XXXX

uóQâmûE6ë@ù$À¨K8À¨KÝngóAÍPúÅBÀUSER XXXX

âmûôuóÚE4ë@ø!À¨K8À¨KÝngó¡AÍÄPú¶?PASS XXXX

uóQâmûE4ë@ù!À¨K8À¨KÝngó¡AÍÄPú¶?PASS XXXX

âmûôuóÚE.ë@ø"À¨K8À¨KÝngóAÍòPúq¼XSTAT

uóQâmûE.ë@ù"À¨K8À¨KÝngóAÍòPúq¼XSTAT

âmûôuóÚE.ë!@øÀ¨K8À¨KÝngó³AÎPúc±]LIST

So $pkt contains some binary data when you print it. How the data
gets there remains your secret.

When I sniff the network with ngrep, the result is much more
readable!
The initialization of pcap is the same as in the documentation.

In *what* documentation? You haven't said what you are using.

Try again.

Anno

Bastian Ballmann · May 25, 2004

Hi!

I'm trying to code a simple sniffer in perl, but the results I get
from pcap aren't those I had expected!

You've to decode the sniffed packets. Try using NetPacket::*
modules.

My process sub looks like this:

sub process_pkt {
my($user_data, $hdr, $pkt) = @_;

print "$pkt\n";
}

Try the following code:
sub process_pkt {
my($user_data, $hdr, $pkt) = @_;
my $ip = NetPacket::IP->decode(eth_strip($pkt));
my $tcp = NetPacket::TCP->decode($ip->{'data'});

print "$ip->{'src_ip'}:$tcp->{'src_port'} --> \
$ip->{'dest_ip'}:$tcp->{'dest_port'}\n";
print "$tcp->{'data'}\n\n";
}

Be away of non-printable characters they could crash your
terminal, maybe convert them to hex using Data::Hexdumper
or similar modules.
If you are interessted in network programming with perl
take a look at my P.A.T.H. Projekt: p-a-t-h.sourceforge.net
Greets

Basti

call to pypcap in separate thread blocks other threads	5	Dec 30, 2009
IP packet count at regular intervals of time.	0	Nov 24, 2003
ruby/pcap with threads	3	Nov 16, 2007
encoding error in python 27	4	Feb 22, 2013
ISO simple debugging sniffer for HTTP	0	Sep 16, 2008
call with async method	6	Nov 17, 2007
Wierd IE Problem - broken images and bizzare text output	12	Jan 2, 2006
Good design question	2	Apr 5, 2011

pcap -> sniffer

cruxnor

Anno Siegel

Bastian Ballmann

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads