Overview
Network packet capture and dissecting in Perl 101
1
Packet capture
libpcap library overview
Net::Pcap perl module
José Pedro Oliveira
( [email protected] )
2
Packet dissecting
Protocols hierarchy overview
NetPacket perl module
Portuguese Perl Workshop 2012
September 28th, 2012
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
José Pedro Oliveira
Background
Net::Pcap
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
Contents
Part I
1
Packet capture
Background
libcap library
libpcap file format
Global file header
Record header
libpcap API
2
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
Net::Pcap
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
Contents
1
Background
Net::Pcap
libpcap library overview
Overview
libpcap is the standard API and capture file format used
by many network tools to capture and store network
data.
Background
libcap library
libpcap file format
pcap is an application programming interface (API) for
capturing network traffic. This API is provided by the
libpcap library a in Unix systems and by the
WinPcap library b in Windows systems.
Global file header
Record header
libpcap API
a
2
libcap library
libpcap file format
libpcap API
Net::Pcap
b
http://www.tcpdump.org/
http://www.winpcap.org/
Recommended file name extension
.pcap
José Pedro Oliveira
Background
Net::Pcap
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
libcap library
libpcap file format
libpcap API
Pcap libraries
Background
Net::Pcap
Network packet capture and dissecting in Perl 101
libcap library
libpcap file format
libpcap API
Libpcap file format
Pcap libraries
The libpcap and WinPcap libraries provide the packet-capture and
filtering engines of many open source and commercial network
tools, including:
protocol analyzers (aka packet sniffers)
(e.g. tcpdump/windump, wireshark/tshark/dumpcap),
A libpcap file is composed by a fixed size global header followed by
zero or more records.
Global
header
Record 1
Record 2
Record 3
...
network monitors (e.g. ntop),
network intrusion detection systems (e.g. snort),
traffic-generators,
Packet
header
Packet
data
traffic-replayers (e.g. tcpreplay) and
network-testers.
José Pedro Oliveira
Each record is composed by a fixed size header (packet header)
followed by the captured data (packet data).
Network packet capture and dissecting in Perl 101
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
Libpcap file format: global file header
0
15 16
Background
Net::Pcap
31
magic number
major version number
minor version number
GMT to local timezone correction
max length of captured packets
data link type
struct pcap file header {
b p f u i n t 3 2 magic ;
u short version major ;
u short version minor ;
bpf int32 thiszone ;
bpf u int32 sig figs ;
bpf u int32 snaplen ;
bpf u int32 linktype ;
};
1
2
3
4
5
6
7
8
9
/∗
/∗
/∗
/∗
/∗
/∗
/∗
Libpcap file format: global file header fields



























accuracy of timestamps
24 bytes
magic number - used to detect the libpcap file format and its byte
ordering. The expected values are 0xa1b2c3d4 (reader and writer
with identical byte order) or 0xd4c3b2a1 (the reader needs to swap
the byte order of the remaining struct fields).
version major, version minor - the version number of the libpcap
file format (the current version is 2.4).
thiszone - the correction time in seconds between GMT (UTC) and
the local timezone of the packet header timestamps. In practice,
time stamps are always in GMT, so thiszone is always 0.
t y p i c a l l y : 0 x a 1 b 2 c 3 d 4 o r 0 x d 4 c 3 b 2 a 1 ∗/
t y p i c a l l y : 2 ∗/
t y p i c a l l y : 4 ∗/
gmt t o l o c a l c o r r e c t i o n ∗/
a c c u r a c y o f t i m e s t a m p s ∗/
max l e n g t h s a v e d p o r t i o n o f e a c h p k t ∗/
d a t a l i n k t y p e ( LINKTYPE ∗) ∗/
sigfigs - in theory, the accuracy of time stamps in the capture; in
practice, all tools set it to 0.
snaplen - the “snapshot length” for the capture; the default is
65535 bytes but can be overridden by the user.
linktype - data link layer type
(see http://www.tcpdump.org/linktypes.html).
José Pedro Oliveira
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
Background
Net::Pcap
Libpcap file format: record (or packet) header
0
15 16
31
time stamp
(seconds, microseconds)
number of octets of packet saved
actual length of packet
1
2
3
4
5
Network packet capture and dissecting in Perl 101
libcap library
libpcap file format
libpcap API
Libpcap file format: packet header fields















ts - packet capture timestamp represented as the number of
seconds since January 1, 1970 00:00:00 GMT (tv sec) and the
number of microseconds (ts usec) as an offset to ts sec.
16 bytes
struct pcap pkthdr {
s t r u c t t i m e v a l t s ; /∗ t i m e stamp ( t v s e c , t v u s e c ) ∗/
b p f u i n t 3 2 c a p l e n ; /∗ l e n g t h o f p o r t i o n p r e s e n t ∗/
bpf u int32 len ;
/∗ p a c k e t l e n g t h a s s e e n on t h e w i r e ∗/
};
José Pedro Oliveira
libcap library
libpcap file format
libpcap API
Network packet capture and dissecting in Perl 101
The ts usec value should never reach 1 000 000 (1 second).
caplen - the number of bytes of packet data actually captured and
saved in the file. This value should never become larger than len or
the snaplen value of the global header.
len - the length of the packet as it appeared on the network when it
was captured.
If caplen and len differ, the actually saved packet size was limited by
snaplen.
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
libpcap application programming interface (API)
Pcap - Packet Capture library
The Packet Capture library provides a high level interface to packet
capture systems. All packets on the network, even those destined
for other hosts, are accessible through this mechanism. It also
supports saving captured packets to a file, and reading packets
from a file.
Background
Net::Pcap
Contents
1
Background
libcap library
libpcap file format
Global file header
Record header
libpcap API
libpcap wrappers
Perl - Net::Pcap
Python - pcapy, python-libpcap, pypcap, pycap
2
Net::Pcap
Ruby - ruby-pcap
... - ...
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
Net::Pcap - live capture
Background
Net::Pcap
Net::Pcap perl module
Net::Pcap
Interface to the pcap library
CPAN homepage
http://search.cpan.org/dist/Net-Pcap/
Simple examples
create a { live, offline } capture
create and apply a filter
access the packet metadata
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
1 #! / u s r / b i n / p e r l −w
2 use s t r i c t ;
3 use Net : : Pcap ;
4
5 my ( $pcap , $ e r r , $maxpkts , $ c o u n t ) = ( undef , ’ ’ , 1 0 , 0 ) ;
6 my ( $dev , $snap , $ p r o m i s c , $ t i m e o u t ) = ( ’ e t h 0 ’ , 6 5 5 3 5 , 1 , 0 ) ;
7
8 sub p r o c e s s p a c k e t {
9
$ c o u n t ++;
10 }
11
12 $pcap = Net : : Pcap : : o p e n l i v e ( $dev , $snap , $ p r o m i s c ,
13
$ t i m e o u t , \ $ e r r ) o r d i e ”Can ’ t open ’ $dev ’ : $ e r r \n” ;
14
15 Net : : Pcap : : l o o p ( $pcap , $maxpkts , \& p r o c e s s p a c k e t , ’ ’ ) ;
16
17 Net : : Pcap : : c l o s e ( $pcap ) ;
18
19 p r i n t ”Number o f p a c k e t s = $ c o u n t \n” ;
Net::Pcap - offline capture (pcap file)
Background
Net::Pcap
Net::Pcap - open live, loop parameters
open live / pcap open live parameters
$dev - network interface
$snaplen - maximum number of bytes to capture
$promisc - promiscuous mode
$to ms - read timeout in milliseconds
\$err - error message (out)
loop / pcap loop parameters
$pcap - packet capture descriptor
$count - number of packets to capture (if negative loops forever)
\&callback - perl function to be used as a callback
$user data - callback argument
José Pedro Oliveira
1 #! / u s r / b i n / p e r l −w
2 use s t r i c t ;
3 use Net : : Pcap ;
4
5 my ( $pcap , $ e r r , $maxpkts , $ c o u n t ) = ( undef , ’ ’ , −1, 0 ) ;
6 my $ f i l e = ’ f i l e . pcap ’ ;
7
8 sub p r o c e s s p a c k e t {
9
$ c o u n t ++;
10 }
11
12 $pcap = Net : : Pcap : : o p e n o f f l i n e ( $ f i l e , \ $ e r r )
13
o r d i e ”Can ’ t r e a d ’ $ f i l e ’ : $ e r r \n” ;
14
15 Net : : Pcap : : l o o p ( $pcap , $maxpkts , \& p r o c e s s p a c k e t , ’ ’ ) ;
16
17 Net : : Pcap : : c l o s e ( $pcap ) ;
18
19 p r i n t ”Number o f p a c k e t s = $ c o u n t \n” ;
Network packet capture and dissecting in Perl 101
Net::Pcap - create and apply a capture filter
1 #! / u s r / b i n / p e r l −w
2 use s t r i c t ;
3 use Net : : Pcap qw ( : f u n c t i o n s ) ;
4
5 my ( $pcap , $ e r r , $maxpkts , $ c o u n t ) = ( undef , ’ ’ , 1 0 , 0 ) ;
6 my ( $dev , $snap , $ p r o m i s c , $ t i m e o u t ) = ( ’ e t h 0 ’ , 6 5 5 3 5 , 1 , 0 ) ;
7 my ( $ f i l t e r , $ f i l t e r s t r ) = ( undef , ’ t c p d s t p o r t 80 ’ ) ;
8
9 sub p r o c e s s p a c k e t {
10
$ c o u n t ++;
11 }
12
13 $pcap = p c a p o p e n l i v e ( $dev , $snap , $ p r o m i s c ,
14
$ t i m e o u t , \ $ e r r ) o r d i e ”Can ’ t open ’ $dev ’ : $ e r r \n” ;
15 p c a p c o m p i l e ( $pcap , \ $ f i l t e r , $ f i l t e r s t r , 1 , 0 )
16
and d i e ” e r r o r : f i l t e r < $ f i l t e r s t r >\n” ;
17 p c a p s e t f i l t e r ( $pcap , $ f i l t e r ) ;
18 p c a p l o o p ( $pcap , $maxpkts , \& p r o c e s s p a c k e t , ’ ’ ) ;
19 p c a p c l o s e ( $pcap ) ;
Net::Pcap - access the packet metadata
1 #! / u s r / b i n / p e r l −w
2 use s t r i c t ;
3 use Net : : Pcap ;
4
5 my ( $pcap , $ e r r , $maxpkts , $ c o u n t ) = ( undef , ’ ’ , −1, 0 ) ;
6 my $ f i l e = ’ f i l e . pcap ’ ;
7
8 sub p r o c e s s p a c k e t {
9
my( $ u s e r d a t a , $ h e a d e r , $ p a c k e t ) = @ ;
10
11
# $ h e a d e r == l i b p c a p r e c o r d h e a d e r
12
13
p r i n t f ”%012d .%06 d %5d %5d\n” ,
14
$ h e a d e r −>{ t v s e c } , $ h e a d e r −>{ t v u s e c } ,
15
$ h e a d e r −>{ l e n } , $ h e a d e r −>{c a p l e n } ;
16 }
17
18 $pcap = Net : : Pcap : : o p e n o f f l i n e ( $ f i l e , \ $ e r r )
19
o r d i e ”Can ’ t r e a d ’ $ f i l e ’ : $ e r r \n” ;
20 Net : : Pcap : : l o o p ( $pcap , $maxpkts , \& p r o c e s s p a c k e t , ’ ’ ) ;
21 Net : : Pcap : : c l o s e ( $pcap ) ;
Background
NetPacket perl module
Background
NetPacket perl module
Contents
Part II
3
Background
Protocols hierarchy overview
Protocols headers of the IP stack
4
NetPacket perl module
Packet dissecting
José Pedro Oliveira
Background
NetPacket perl module
Network packet capture and dissecting in Perl 101
Contents
3
José Pedro Oliveira
Protocols hierarchy overview
Protocols headers of the IP stack
Background
NetPacket perl module
Network packet capture and dissecting in Perl 101
Protocols hierarchy overview
Protocols headers of the IP stack
Background
Background
Protocols hierarchy overview
Protocols headers of the IP stack
understand the protocol hierarchy
know the protocols used
(read the protocol specfication if available)
know how to use the pack/unpack perl functions
4
NetPacket perl module
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Protocols hierarchy overview
Protocols headers of the IP stack
Background
NetPacket perl module
Ethernet Frames
Protocol hierarchy
802.3 Ethernet frame structure
Ethernet - IPv4 - UDP
12
8
Interframe gap
Preamble
Frame
6
6
Dest.
Address
Src.
Address
2
46-1500
4
Type
Frame
Data
FCS
64 byte minimum frame size
1518 byte maximum frame size
6
6
4
Dest.
Address
Src.
Address
VLAN
Tag
2
46-1500
4
Type
Frame
Data
FCS
Protocols hierarchy overview
Protocols headers of the IP stack
UDP
Hdr
UDP
Data
8
18-1472
IPv4
Hdr
IP
Data
20
26-1480
Dest
Addr
Src
Addr
T
Frame
Data
FCS
6
6
2
46-1500
4
1522 byte maximum frame size with 802.1q VLAN Tag
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
IPv6 Header - 40 bytes
Protocols hierarchy overview
Protocols headers of the IP stack
IPv4 Header - 20 bytes
0
3 4
Ver
7 8
15 16
Traffic Class
3 4
Ver
7 8
IHL
15 16
Total Length
Diff. Serv.
Flags
Identifier
TTL
23 24
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
José Pedro Oliveira
31





















Next Header
Source Address
20 bytes
Network packet capture and dissecting in Perl 101
31
Flow Label
Payload Length
0
23 24
Destination Address
Hop Limit





















































40 bytes
Background
NetPacket perl module
Protocols hierarchy overview
Protocols headers of the IP stack
Background
NetPacket perl module
TCP Header - 20+ bytes
0
3 4
7 8
UDP Header - 8 bytes
15 16
Source Port
23 24
Destination Port
Sequence Number
Acknowledgment Number
Flags
Offset Reserved
Window
Urgent Pointer
Checksum
Options (Optional)
José Pedro Oliveira
Protocols hierarchy overview
Protocols headers of the IP stack
31





















0
20 bytes
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
15 16
31
Source Port
Destination Port
Length
Checksum
José Pedro Oliveira



8 bytes
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Contents
NetPacket perl module
NetPacket
Base class for assembling/disassemble network protocols
3
Background
Protocols hierarchy overview
Protocols headers of the IP stack
Available NetPacket subclasses
NetPacket::ARP - ARP (Address Resolution Protocol) packets
NetPacket::Ethernet - Ethernet packets
NetPacket::ICMP - ICMP (Internet Control Message Protocol) packets
4
NetPacket perl module
NetPacket::IGMP - IGMP (Internet Group Mangement Protocol) packets
NetPacket::IP - IP (Internet Protocol) packets
NetPacket::TCP - TCP (Transmission Control Protocol) packets
NetPacket::UDP - UDP (User Datagram Protocol) packets
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
Packet decoding with NetPacket (1/2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
...
use N e t P a c k e t : : E t h e r n e t qw ( : t y p e s ) ;
...
sub p r o c e s s p a c k e t {
my( $ u s e r d a t a , $ h e a d e r , $ p a c k e t ) = @ ;
# $ p a c k e t == l i b p c a p r e c o r d d a t a
my $ e t h = N e t P a c k e t : : E t h e r n e t −>d e c o d e ( $ p a c k e t ) ;
#
#
#
#
#
#
#
#
}
...
Ethernet o b j e c t data f i e l d s :
dest mac , src mac , type , data
EtherType :
h t t p : / /www . i a n a . o r g / a s s i g n m e n t s / e t h e r n e t −numbers
...
2048
0800
513
1001
I n t e r n e t IP ( I P v 4 )
[ IANA ]
...
i f ( $eth −>{t y p e } == ETH TYPE IP ) { . . . }
Background
NetPacket perl module
Packet decoding with NetPacket (2/2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
...
use
use
use
use
use
...
sub
NetPacket
NetPacket
NetPacket
NetPacket
NetPacket
: : E t h e r n e t qw ( : t y p e s ) ;
: : I P qw ( : p r o t o s ) ;
: : ICMP ;
: : TCP ;
: : UDP ;
process packet {
my( $ u s e r d a t a , $ h e a d e r , $ p a c k e t ) = @ ;
my $ e t h = N e t P a c k e t : : E t h e r n e t −>d e c o d e ( $ p a c k e t ) ;
i f ( $ e t h −>{t y p e } == ETH TYPE IP ) {
my $ i p = N e t P a c k e t : : IP−>d e c o d e ( $ e t h −>{d a t a } ) ;
i f ( $ i p −>{p r o t o } == IP PROTO ICMP ) {
my $icmp = N e t P a c k e t : : ICMP−>d e c o d e ( $ i p −>{d a t a } ) ;
} e l s i f ( $ i p −>{p r o t o } == IP PROTO TCP ) {
my $ t c p = N e t P a c k e t : : TCP−>d e c o d e ( $ i p −>{d a t a } ) ;
}
...
}
} e l s i f ( $ i p −>{p r o t o } == IP PROTO UDP ) {
my $udp = N e t P a c k e t : : UDP−>d e c o d e ( $ i p −>{d a t a } ) ;
}
References
Extending NetPacket
Part III
There isn’t a NetPacket package for my protocol. What do I do?
read the protocol specification
create a NetPacket subclass
References
implement the encode and decode methods
(with the pack and unpack perl functions)
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
References
References
Contents
5
Contents
References
5
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
References
References
Libpcap library
http://www.tcpdump.org/
PCAP
http://en.wikipedia.org/wiki/Pcap
http://wiki.wireshark.org/Development/LibpcapFileFormat
Packet filter syntax
man 7 pcap-filter
Net::Pcap perl module
http://search.cpan.org/dist/Net-Pcap/
NetPacket perl module
http://search.cpan.org/dist/NetPacket/
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
References
José Pedro Oliveira
Network packet capture and dissecting in Perl 101
Download
  1. No category

Part I Packet capture

matricula aluno(a) 2015950847 amanda pezzini martins

matricula aluno(a) 2015950847 amanda pezzini martins

PROCESSO SELETIVO 1º/2015 CURSO DE GRADUAÇÃO EM

PROCESSO SELETIVO 1º/2015 CURSO DE GRADUAÇÃO EM

debora cristina camargo kosak 1

debora cristina camargo kosak 1

arquivo com os nomes

arquivo com os nomes

22 ago 2015 Comunicati Stampa Integrazione

22 ago 2015 Comunicati Stampa Integrazione

SO JOSE ATUALIZADAS 01 NO 037

SO JOSE ATUALIZADAS 01 NO 037

Ciências Biológicas

Ciências Biológicas

View/Open - Tribunal Regional Federal da 1ª Região

View/Open - Tribunal Regional Federal da 1ª Região

Jubileu da Cúria Romana, do Governatorado e das Instituições

Jubileu da Cúria Romana, do Governatorado e das Instituições