#!/usr/bin/perl
use Net::TcpDumpLog;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
$file=$ARGV[0];
my $log = Net::TcpDumpLog->new();
$log->read("$file");
foreach my $index ($log->indexes) {
my $packet = $log->data($index);
my $ethernet = NetPacket::Ethernet->decode($packet);
if ($ethernet->{type} == 0x0800) {
my $ip = NetPacket::IP->decode($ethernet->{data});
if ($ip->{src_ip} =~/\d/) {
if ($ip->{proto} == 6) {
my $tcp = NetPacket::TCP->decode($ip->{data});
if (($tcp->{src_port} =~ /\d/) && ($tcp->{data} =~ m/HTTP/)) {
print("Found HTTP traffic on non-port 80\n");
printf("%s (port: %d) to %s (port: %d)\n%s\n",
$ip->{src_ip},
$tcp->{src_port},
$ip->{dest_ip},
$tcp->{dest_port},
$tcp->{data});
}
}
}
}
}
http://www.softpanorama.org/Net/Sniffers/tcpdump.shtml
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
sub read_packet
{
my ($raw_data) = @_;
my $ip_data = NetPacket::Ethernet::strip($raw_data);
my $ip_packet = NetPacket::IP->decode($ip_data);
# is it TCP
if ($ip_packet->{proto} == 6)
{
my $tcp = NetPacket::TCP->decode(NetPacket::IP::strip($ip_data));
my $port = $tcp->{src_port};
my $port_name = exists $port_directory{"$port/tcp"}
? $port_directory{"$port/tcp"}->{name}
: '';
if ($tcp->{flags} & SYN)
{
printf " %5d %-20s %-20s\n", $port, 'open', $port_name;
$total_ports{$port} = 'open';
}
elsif ($tcp->{flags} & RST)
{
printf " %5d %-20s %-20s\n", $port, 'closed', $port_name;
$total_ports{$port} = 'closed';
}
}
}