tcpdump mailing list archives

Problems with pcap filter between Net::Pcap and tcpdump

From: "Lee Hinman" <matthew.hinman () gmail com>
Date: Wed, 5 Sep 2007 16:11:07 -0600

Hi All,

I'm trying to write a simple sniffer for AIM traffic, using "tcpdump
-A -s0 tcp port 5190" works just great for capturing all the traffic,
however, when I attemp to use the script I've written (below), it
doesn't capture anything except for some extremely annoying UPnP
packets (which aren't even on port 5190).

The script:
#!/usr/bin/perl

use warnings;
use strict;

use Net::PcapUtils;

use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;

#$| = 1;

my ($address,$netmask,$err,$filter);

sub grab_aim {
    my ($arg,$hdr,$pkt) = @_ ;

    my $eth_data = NetPacket::Ethernet::strip($pkt);
    my $ip = NetPacket::IP->decode($eth_data);
    my $tcp = NetPacket::TCP->decode($ip->{'data'});

    print $ip->{'src_ip'} .":". $tcp->{'src_port'} . " -> " .
$ip->{'dest_ip'} .":". $tcp->{'dest_port'} . "\n";
    print "Data:\n" . $tcp->{'data'} . "\n";
}

#my $interface = shift || "en0";

my $dev = shift || Net::Pcap::lookupdev(\$err) or die "Can't lookup
device: $err\n";

#if (Net::Pcap::lookupnet($interface, \$address, \$netmask, \$err)==-1) {
if (Net::Pcap::lookupnet($dev, \$address, \$netmask, \$err)==-1) {
    die 'Unable to look up device information for ', $dev, ' - ', $err;
}
print "Device: $dev\n";

my $object = Net::Pcap::open_live($dev, 65536, 1, 0, \$err) or die
"Can't open device $dev: $err\n";

Net::Pcap::compile($object, \$filter, 'tcp port 5190', 0, $netmask);
Net::Pcap::setfilter($object, $filter);

Net::Pcap::loop($object, -1, \&grab_aim, '');


Am I compiling the filters wrong?

- Lee
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Problems with pcap filter between Net::Pcap and tcpdump Lee Hinman (Aug 24)
- <Possible follow-ups>
- Problems with pcap filter between Net::Pcap and tcpdump Lee Hinman (Sep 06)