Analyzing tcp packet captured by Net::Pcap from ppp link.
I tried to analyze tcp packets captured by Net::Pcap from ppp link. I wrote a tiny analyzing packet program referenced the example program 'pcapdump' (which included in Net::Pcap),but the result is totally broken.
Eventually I misunderstood packets captured by Net::Pcap are always starting from ethernet frame format. In real, those are NOT. The correct format of packets of Net::Pcap is valiable, depending on what interface captureing from, what type of packet.At least capturing from ppp link under my linux box, the captured packet data has DLT_LINUX_SLL link header. (About DLT_LINUX_SLL,and other link type, see the man page of pcap-linktype (7))
I haven't yet understood whole format capturing by Net::Pcap, however I wrote tiny program analyzing the packet from ppp link.This codes work enough,at least in my purpose.
#!/usr/bin/perl use strict; use warinings; use Net::Pcap qw(:functions); use NetPacket::Ethernet; use NetPacket::IP; use NetPacket::TCP; #...initialize pcap,and do pcap_open_live ... my $link_type_name=pcap_datalink_val_to_name(pcap_datalink($pcap)); pcap_loop($pcap,-1,\&process_packet,$link_type_name); #...snip... sub process_packet { my ($link_type_name,$header,$packet)=@_; my $payload_stripped_linkheader; my $protocol_type_of_linkheader; use bytes; if ($link_type_name eq "LINUX_SLL" ) { # This code is an example,and at least good enough for my purpose. # The best codes are shown in sll_if_print() (print-sll.c in tcpdump). $payload_stripped_linkheader=substr($packet,16); $protocol_type_of_link_header=unpack("n",substr($packet,2+2+2+8,2)); } else { # This is not correct code. However, at this moment,I ignore other format. my $eth_obj=NetPacket::Ethernet->decode($packet); $payload_stripped_linkheader=$eth_obj->{data}; $protocol_type_of_link_header=$eth_obj->{type}; } if ($protocol_type_of_link_header != 0x0800) { warn "uh? this packet is not ip packet, then skip\n"; return ; } my $ip_obj=NetPacket::IP->decode($payload_stripped_linkheader); # ... you can wrote next analyze ... }