filtering packets from a specific ip using perl and Net::Pcap and Net::PcapUtils

Question

I've been trying to write a script that filters packets out of a device and from a specific ip address over that device.

I want data to be like the output i get from wireshark when you select a specific device and you use the ip.src==xx.xx.xx.xx

my program so far is like this

    #!/usr/bin/perl -w
my $interface='eth1';

sub process_pkt #Packet processing routine 
{
 my ($user_data,$header, $packet) = @_;
 my $minipacket = substr($packet,0,54); 
 print ("\n## raw: ###\n");
 print ($minipacket);
print ("\n==Byte# / Hex / Dec / Bin==\n");
 for ($i=0;$i<55;$i++)
 {
 $hexval = unpack('H2',substr($packet,$i,1)); 
 $decval = hex(unpack('H2',substr($packet,$i,1)));
 printf ("%03s-%02s-%03s-%08b\n", $i, $hexval, $decval, $decval);
 }
}
# ###################################################################### 

# Here we are invoking the NetPcap module and looping through forever.
Net::PcapUtils::loop(\&process_pkt, 
 SNAPLEN => 65536, #Size of data to get from packet
 PROMISC => 1, #Put in promiscuous mode
FILTER => 'tcp', #only pass TCP packets
 DEV => $interface, ); 

and I am getting output

now i want to filter out packets that are received on the eth1 device and from the soruce ip of xx.xx.xx.xx can we use the filter option in Net::PcapUtils::loop to do that? and then i want packets of data length xx ... i tried going through the documentation in cpan.org but all i find is the options available.. i couldn't find any examples..

can someone please help me out?

improvements:

can i use something like

FILTER => 'ip src xx.xx.xx.xx'

after the

FILTER => 'tcp'

line in the code? and can i somehow include the data length of the packet so as to filter the packets of data length = 86?

---

Alternative program i am using to get the payload of the packet:

#!/usr/bin/perl -w
# #########################
#
use Net::PcapUtils;
use NetPacket::Ethernet qw(:strip);
use NetPacket::IP;
use NetPacket::TCP;
use NetPacket::IP qw(:strip);

my $interface= 'eth1';
my $snaplen= 65536;
my $filter='tcp';
my $promisc = 1;
my $timeout = 10000 ;
my $err;

sub process_pkt
{
    my ($user_data,$header,$packet) = @_;

$ip= NetPacket::IP->decode(eth_strip($packet));
    $tcp= NetPacket::TCP->decode($ip->{data});
    $payload = $tcp->{data};
    print ("payload: \n ".$payload." \n----end-----\n");
    for($i=0;$i<55;$i++){   
    $hexval = unpack('H2',substr($payload,$i,1));
    open (MYFILE, '>>perldata1.txt');
    print MYFILE ($i." :hex: ". $hexval."\n");
    close (MYFILE);
    }
}

Net::PcapUtils::loop(\&process_pkt,
            SNAPLEN => 65536,
            PROMISC => 1,
            FILTER => 'tcp',
            FILTER => 'ip src 129.7.236.40',
            DEV => $interface, );

but am still not able to figure out how to get the length of the data field. :( Thanks.

Answer 1

#!/usr/bin/perl -w
# #########################
#
use Net::PcapUtils;
use NetPacket::Ethernet qw(:strip);
use NetPacket::IP;
use NetPacket::TCP;
use NetPacket::IP qw(:strip);
use strict;
use Data::Dumper;
#use warnings;

my $interface= 'eth1';
my $snaplen= 65536;
my $filter='tcp';
my $promisc = 1;
my $timeout = 10000 ;
my $err;
my @array;
sub process_pkt
{
    my ($user_data,$header,$packet) = @_;

my $ip= NetPacket::IP->decode(eth_strip($packet));
    my $tcp= NetPacket::TCP->decode($ip->{data});
    my $payload = $tcp->{data}; 
    if(length($payload)==32)
    {
    for(my $decode=0;$decode<32;$decode++)
    {   
    $array[$decode] = unpack('H2',substr($payload,$decode,1));
    }
    my $length= scalar(@array);
    open (MYFILE, '>doorstatus.tab');
    if($array[22] eq '0c')
        {
            print MYFILE ( " Decision: Granted\n");
        }
    elsif($array[22] eq '04')
    {
    print MYFILE ("Decision: Denied\n");
    }
    elsif($array[22] eq '0d')
    {
    print MYFILE ("Decision: Locked\n");
    }
    else
    {
    print MYFILE ("Decision: unknown \n");
    }

    #print MYFILE ( " Data: \n".Dumper(\@array)." \n");

    close (MYFILE);
    }
}

Net::PcapUtils::loop(\&process_pkt,
            SNAPLEN => 65536,
            PROMISC => 1,
            FILTER => 'tcp',
            FILTER => 'ip src xx.xx.xx.xx',
            DEV => $interface, );

The code filters the data coming from a specific source into an array and you can do any thing with it,