#!/usr/bin/perl

use Net::TcpDumpLog;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
$file=$ARGV[0];
my $log = Net::TcpDumpLog->new();
$log->read("$file");

foreach my $index ($log->indexes) {
    my $packet = $log->data($index);
    my $ethernet = NetPacket::Ethernet->decode($packet);
    if ($ethernet->{type} == 0x0800) {
       my $ip = NetPacket::IP->decode($ethernet->{data});
       if ($ip->{src_ip} =~/\d/) {
          if ($ip->{proto} == 6) {
             my $tcp = NetPacket::TCP->decode($ip->{data});
             if (($tcp->{src_port} =~ /\d/) && ($tcp->{data} =~ m/HTTP/)) {
                print("Found HTTP traffic on non-port 80\n");
                printf("%s (port: %d) to %s (port: %d)\n%s\n",
                $ip->{src_ip},
                $tcp->{src_port},
                $ip->{dest_ip},
                $tcp->{dest_port},
                $tcp->{data});
             }
          }
       }
     }
}


http://www.softpanorama.org/Net/Sniffers/tcpdump.shtml




use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;

sub read_packet
{
  my ($raw_data) = @_;
  my $ip_data = NetPacket::Ethernet::strip($raw_data);
  my $ip_packet = NetPacket::IP->decode($ip_data);

  # is it TCP
  if ($ip_packet->{proto} == 6)
  {
    my $tcp = NetPacket::TCP->decode(NetPacket::IP::strip($ip_data));
    my $port = $tcp->{src_port};
    my $port_name = exists $port_directory{"$port/tcp"}
      ? $port_directory{"$port/tcp"}->{name}
      : '';

    if ($tcp->{flags} & SYN)
    {
      printf " %5d %-20s %-20s\n", $port, 'open', $port_name;
      $total_ports{$port} = 'open';
    }
    elsif ($tcp->{flags} & RST)
    {
      printf " %5d %-20s %-20s\n", $port, 'closed', $port_name;
      $total_ports{$port} = 'closed';
    }
  }
}

09-26 14:36