- 论坛徽章:
- 0
|
http://packetstormsecurity.org/sniffers/iptraffic-v0.01.zip
#!/usr/bin/perl
# iptraffic-v0.09.pl by Randy Nash (nashr@atriskonline.com)
# Copyright (C) 2004-2005 Randy Nash - @RISK Online (www.atriskonline.com)
#
# This is the beginnings of a simple perl sniffer. It uses standard Perl
# modules to perform protocol decodes and dumps the results to MySQL.
use strict;
use Net: cap;
use Net:capUtils;
# Ethernet related protocols
use NetPacket::Ethernet qw(:ALL);
use NetPacket::ARP qw(:ALL);
use NetPacket::IP qw(:ALL);
use NetPacket::ICMP qw(:ALL);
use NetPacket::IGMP qw(:ALL);
use NetPacket::TCP qw(:ALL);
use NetPacket::UDP qw(:ALL);
# Other protocols
use NetPacket::LLC;
use NetPacket::SpanningTree;
# Miscellaneous
use DBI;
use Socket;
use Term::ReadKey;
# Flush STDOUT
$|=1;
# Vars used for pcap and decoding
my $err="";
my ($device, $cap_descrip);
# var for tracking protocol type
my $proto = "";
# Declaration of functions
sub pcapinit;
sub read_packet;
# Mainprogram starts here
# select the adapter
if (!$ARGV[0])
{
my $err;
my $dev = Net:cap::lookupdev(\$err);
if (defined $err) {
die 'Unable to determine network device for monitoring - ', $err;
exit;
}
my ($address, $netmask, $err);
if (Net:cap::lookupnet($dev, \$address, \$netmask, \$err)) {
die 'Unable to look up device information for ', $dev, ' - ', $err;
}
print STDOUT "Available interfaces; Please select one from the list below:\n\n\t$dev\n\n";
}
else
{
$device=$ARGV[0];
}
# Connect To Database
# Use your own hostname, database, username and password here
#
my $database = "iptraffic";
my $hostname = "localhost";
my $username = "root";
my $password = "";
my $dbh = DBI->connect("DBI:mysql databasehostname", $username, $password);
die "Cannot log into database...\n" unless $dbh;
print "Connected to $database... \n";
pcapinit;
#Subfunctions only
# Initialize the sniffing
sub pcapinit
{
$cap_descrip=Net:cap: pen_live($device, 2000, 1, 1000, \$err);
if (!$cap_descrip) # If something does not work correctly
{
print "\n Error: $err\n\n";
exit;
}
Net:cap::loop($cap_descrip, -1, \&read_packet, "test" ;
}
# Read and process packets.
# Currently all DATA fields are dropped to save spaces.
# All field definitions come directly from the PM documentation
#
sub read_packet
{
# Ethernet
my $key=ReadKey(-1);
my ($arg, $hdr, $pkt)=@_;
my $eth_obj=NetPacket::Ethernet->decode($pkt);
$main::proto = "ether";
$dbh->do("insert into etherpkt (eth_type, eth_srcmac, eth_destmac)
values ('$eth_obj->{type}','$eth_obj->{src_mac}','$eth_obj->{dest_mac}')
";
# Ether Type = IP
if ($eth_obj->{type}==ETH_TYPE_IP)
{
# Determine IP Protocol within IP
use NetPacket::Ethernet qw(:strip);
use NetPacket::IP;
my $ip_obj=NetPacket::IP->decode(eth_strip($pkt));
$main::proto = "ip";
$dbh->do("insert into ippkt (pid, ip_ver, ip_hlen, ip_flags, ip_foffset, ip_tos, ip_len, ip_id, ip_ttl, ip_proto, ip_cksum, ip_srcip, ip_dstip)
values (LAST_INSERT_ID(),'$ip_obj->{ver}','$ip_obj->{hlen}','$ip_obj->{flags}','$ip_obj->{foffset}','$ip_obj->{tos}','$ip_obj->{len}','$ip_obj->{id}','$ip_obj->{ttl}','$ip_obj->{proto}','$ip_obj->{cksum}','$ip_obj->{src_ip}','$ip_obj->{dest_ip}')
";
# ICMP
if ($ip_obj->{proto}==IP_PROTO_ICMP)
{
my $icmp_obj = NetPacket::ICMP->decode($pkt);
$main::proto = "icmp";
$dbh->do("insert into icmppkt (pid, icmp_type, icmp_code, icmp_cksum)
values (LAST_INSERT_ID(),'$icmp_obj->{type}','$icmp_obj->{code}','$icmp_obj->{cksum}')
";
}
# IGMP
elsif ($ip_obj->{proto}==IP_PROTO_IGMP)
{
my $ip_obj = NetPacket::IP->decode(eth_strip($pkt));
my $igmp_obj = NetPacket::IGMP->decode($ip_obj->{data});
$main::proto = "igmp";
$dbh->do("insert into igmppkt (pid, igmp_ver, igmp_type, igmp_len, igmp_subtype, igmp_cksum, igmp_group_addr)
values (LAST_INSERT_ID(),'$igmp_obj->{version}','$igmp_obj->{type}','$igmp_obj->{len}','$igmp_obj->{subtype}','$igmp_obj->{cksum}','$igmp_obj->{group_addr}')
";
}
# IPIP
elsif ($ip_obj->{proto}==IP_PROTO_IPIP)
{
$main::proto = "ipip";
}
# TCP
elsif ($ip_obj->{proto}==IP_PROTO_TCP)
{
my $tcp_obj = NetPacket::TCP->decode(ip_strip(eth_strip($pkt)));
$main::proto = "tcp";
$dbh->do("insert into tcppkt (pid, tcp_sport, tcp_dport, tcp_seqnum, tcp_acknum, tcp_hlen, tcp_res, tcp_flags, tcp_win, tcp_cksum, tcp_urg)
values (LAST_INSERT_ID(),'$tcp_obj->{src_port}','$tcp_obj->{dest_port}','$tcp_obj->{seqnum}','$tcp_obj->{acknum}','$tcp_obj->{hlen}','$tcp_obj->{reserved}','$tcp_obj->{flags}','$tcp_obj->{winsize}','$tcp_obj->{cksum}','$tcp_obj->{urg}')
";
}
# UDP
elsif ($ip_obj->{proto}==IP_PROTO_UDP)
{
my $ip_obj = NetPacket::IP->decode(eth_strip($pkt));
my $udp_obj = NetPacket::UDP->decode($ip_obj->{data});
$main::proto = "udp";
$dbh->do("insert into udppkt (pid, udp_sport, udp_dport, udp_len, udp_cksum)
values (LAST_INSERT_ID(),'$udp_obj->{src_port}','$udp_obj->{dest_port}','$udp_obj->{len}','$udp_obj->{cksum}')
";
}
# OSPF
elsif ($ip_obj->{proto}=="89"
{
$main::proto = "ospf";
}
# Other IP, Multicast, Unicast, etc...
else
{
# INTERNET MULTICAST ADDRESSES
# Reference: ftp://ftp.iana.org/assignments/multicast-addresses/
#
# Host Extensions for IP Multicasting [RFC1112] specifies the extensions
# required of a host implementation of the Internet Protocol (IP) to
# support multicasting. The multicast addressess are in the range
# 224.0.0.0 through 239.255.255.255. Current addresses are listed below.
#
# The range of addresses between 224.0.0.0 and 224.0.0.255, inclusive,
# is reserved for the use of routing protocols and other low-level
# topology discovery or maintenance protocols, such as gateway discovery
# and group membership reporting. Multicast routers should not forward
# any multicast datagram with destination addresses in this range,
# regardless of its TTL.
# This section tests for various Multicast protocols that I have started to
# define. This is VERY incomplete, and only a sample based on the type of
# traffic I can test in my environments.
if ($ip_obj->{dest_ip}=~m/^224.0.0.251/)
{
$main::proto = "mdns";
}
# Anything I have not yet accounted for.
else
{
$main::proto = "undef-ip";
}
}
}
# Other known protocols
# ARP
elsif ($eth_obj->{type}==ETH_TYPE_ARP)
{
my $arp_obj = NetPacket::ARP->decode($eth_obj->{data}, $eth_obj);
$main::proto = "arp";
$dbh->do("insert into arppkt (pid, arp_htype, arp_proto, arp_hlen, arp_plen, arp_opcode, arp_sha, arp_spa, arp_tha, arp_tpa)
values (LAST_INSERT_ID(),'$arp_obj->{htype}','$arp_obj->{proto}','$arp_obj->{hlen}','$arp_obj->{plen}','$arp_obj->{opcode}','$arp_obj->{sha}','$arp_obj->{spa}','$arp_obj->{tha}','$arp_obj->{tpa}')
";
}
# APPLETALK
elsif ($eth_obj->{type}==ETH_TYPE_APPLETALK)
{
$main::proto = "atalk";
}
# SNMP
elsif ($eth_obj->{type}==ETH_TYPE_SNMP)
{
$main::proto = "snmp";
}
# IPv6
elsif ($eth_obj->{type}==ETH_TYPE_IPv6)
{
$main::proto = "ipv6";
}
# PPP
elsif ($eth_obj->{type}==ETH_TYPE_PPP)
{
$main::proto = "ppp";
}
# LOOP (Loopback)
# ETH_TYPE_LOOP => 0x9000;
elsif ($eth_obj->{type}==0x9000)
{
$main::proto = "loop";
}
# Unknown
else
{
# Test here for various broadcast/multicast/LLC packets
my $eth_obj=NetPacket::Ethernet->decode($pkt);
# AARP (Appletalk Address Resolution Protocol)
if ($eth_obj->{dest_mac}=~m/^090007ffffff/)
{
$main::proto = "aarp";
}
# CDP (Cisco Discovery Protocol)
elsif ($eth_obj->{dest_mac}=~m/^01000ccccccc/)
{
$main::proto = "cdp/vtp";
}
# CGMP (Cisco Group Management Protocol)
elsif ($eth_obj->{dest_mac}=~m/^01000cdddddd/)
{
$main::proto = "cgmp";
}
# DEC MOP (DEC Maintenance Operation Protocol (MOP) Remote Console)
elsif ($eth_obj->{dest_mac}=~m/^ab0000020000/)
{
$main::proto = "decmop";
}
# NETLOGON (NETBIOS Multi NETLOGON Query for Primary DC FRAME)
elsif ($eth_obj->{dest_mac}=~m/^030000000001/)
{
$main::proto = "netlogon";
}
# STP (Spanning Tree protocol)
elsif ($eth_obj->{dest_mac}=~m/^0180c200000/)
{
my $llc_obj=NetPacket::LLC->decode($eth_obj->{data});
my $st_obj=NetPacket::SpanningTree->decode($llc_obj->{data});
$main::proto = "stp";
$dbh->do("insert into stppkt (pid, stp_max_age, stp_message_age, stp_bpdu_flags, stp_bridge_mac, stp_bpdu_type, stp_topology_change, stp_bridge_priority, stp_topology_change_ack, stp_protocol_version, stp_forward_delay, stp_hello_time, stp_port_num, stp_root_priority, stp_root_path_cost, stp_protocol_id, stp_root_mac, stp_port_priority, stp_root_id, stp_port_id, stp_bridge_id)
values (LAST_INSERT_ID(),'$st_obj->{max_age}', '$st_obj->{message_age}', '$st_obj->{bpdu_flags}', '$st_obj->{bridge_mac}', '$st_obj->{bpdu_type}', '$st_obj->{topology_change}', '$st_obj->{bridge_priority}', '$st_obj->{topology_change_ack}', '$st_obj->{protocol_version}', '$st_obj->{forward_delay}', '$st_obj->{hello_time}', '$st_obj->{port_num}', '$st_obj->{root_priority}', '$st_obj->{root_path_cost}', '$st_obj->{protocol_id}', '$st_obj->{root_mac}', '$st_obj->{port_priority}', '$st_obj->{root_id}', '$st_obj->{port_id}', '$st_obj->{bridge_id}')
";
}
# Broadcast - This is very generic at this time, and includes,
# by default, anything not previously addressed that has a
# destination mac address of ffffffffffff. This will include,
# for example, IPX packets. Don't take this designation too
# seriously at this time.
elsif ($eth_obj->{dest_mac}=~m/^ffffffffffff/)
{
$main::proto = "broadcast";
}
# Leftover unresolved packets...
else
{
$main::proto = "undef-eth";
}
}
# update pkt_proto in ether_pkt table
$dbh->do("UPDATE etherpkt SET pkt_proto = '$main::proto' WHERE pid = LAST_INSERT_ID()");
# Check for keystroke to exit program
if ($key)
{
$dbh->disconnect;
exit(0);
}
}
; |
|
免费注册
发表于 2007-01-12 04:00
发表于 2007-01-12 10:09
