Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Sniffers in Perl?!? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sniffers in Perl?!?
Maybe this will be interesting to the coders out there or possibly inspire someone to solve a problem in a different way...  Download it here: http://handlers.sans.org/khaugsness/tail-pcap.pl

A while back I needed to do some sniffing for very specific packets in Perl.  And I needed to wrap some logic around the packet processing.  Doing regex matching and normal byte filtering in tcpdump wasn't going to be sufficient.  So I wrote a quick little script using a Perl module to interface with the libpcap library.  Everything was straight-forward and well documented until I needed to tail an existing pcap file.  Google failed me.  So through a little trial-and-error I figured out how to solve the problem.  Here is an example script on how to do this.

Lessons learned: it isn't hard to write your own customized sniffer.  Perl and Python have well-documented high-level interfaces that do most of the hard work for you.

Kyle

112 Posts

Sign Up for Free or Log In to start participating in the conversation!