Feb 062011
Here’s how to use Perl and libpcap to process a capture file offline. This particular example parses RDP cookies….
# ./watch_rdp_cookies.pl session.cap 192.168.0.93:46890:192.168.0.88:3389:mstshash=corp\jaso 192.168.0.93:46890:192.168.0.88:3389:0 192.168.0.93:49469:192.168.0.89:3389:msts=1493215424.15629.0000(192.168.0.89:3389)
#!/usr/bin/perl -w # Copyright 2011 Jason Filley # tcpdump -r capture.cap -s 65535 'dst port 3389 and tcp[37] == 0xe0' use 5.10.0; use strict; use Net::PcapUtils; use NetPacket::Ethernet qw(:strip); use NetPacket::IP; use NetPacket::TCP; my $filename = $ARGV[0]; my $filter = "dst port 3389 and tcp[37] == 0xe0"; my $filter_t; my $err = ''; my $pcap = Net::Pcap::open_offline( "$filename", \$err ) or die "Cannot open file...$err\n"; Net::Pcap::compile( $pcap, \$filter_t, $filter, 1, 0 ); Net::Pcap::setfilter( $pcap, $filter_t ); sub get_cookie { my $cookie = shift; $cookie =~ /Cookie: (.*)\x0d\x0a/; return $1; } sub parse_cookie { my $ipcookie = shift; #e.g. "msts=420247818.15629.0000"; if ( length( $ipcookie // '' ) ) { if ( $ipcookie =~ /^msts=(\d*)\.(\d*)\./ ) { my $iphex = sprintf( "%8X", $1 ); my $porthex = sprintf( "%4X", $2 ); $iphex =~ /(..)(..)(..)(..)/sg; my $return = $ipcookie . "(" . hex($4) . "." . hex($3) . "." . hex($2) . "." . hex($1); $porthex =~ /(..)(..)/sg; $porthex = "$2" . "$1"; $return .= ":" . hex($porthex) . ")"; return $return; } elsif ( $ipcookie =~ /^mstshash=/ ) { return $ipcookie; } else { return ''; } } } sub process_pkt { my ( $user, $hdr, $pkt ) = @_; my $ip_obj = NetPacket::IP->decode( eth_strip($pkt) ); my $tcp_obj = NetPacket::TCP->decode( $ip_obj->{data} ); print( "$ip_obj->{src_ip}" . ":" . "$tcp_obj->{src_port}" . ":" ); print( "$ip_obj->{dest_ip}" . ":" . "$tcp_obj->{dest_port}" . ":" ); print parse_cookie( get_cookie( $tcp_obj->{data} ) ) . "\n"; } Net::Pcap::loop( $pcap, -1, \&process_pkt, '' );
return
Sorry, the comment form is closed at this time.