Perl 网络帧/数据包解析器

发布于 2024-10-06 18:40:38 字数 410 浏览 9 评论 0原文

我正在编写一个小型嗅探器作为个人项目的一部分。我正在使用 Net::Pcap (真的很棒的工具)。

在数据包处理循环中,我使用出色的 Net::Frame 来解压所有标头并获取数据。我开始担心这可能不是非常有效(Net::Frame 很棒,但似乎超出了我这个项目的需要)。

另外,我不喜欢对于某些 Debian 系统,我必须手动编译 libdumbnet(官方 apt 存储库中提供的软件包似乎不起作用,Net-Libdnet-0.92 不喜欢它)。

我想要的只是获取 TCP 段内的有效负载。还有其他选择吗? 谢谢。

PS 如果我只是拿着数据包并在其中搜索某种模式,那真的会很糟糕吗(请阅读“thedailywtf.com 值得”)?

I am writing a small sniffer as part of a personal project. I am using Net::Pcap (really really great tool).

In the packet-processing loop I am using the excellent Net::Frame for unpacking all the headers and getting at the data. I am getting concerned that this might not be terribly efficient (Net::Frame is great but seems to be more than I need for this project).

Also I dislike that for some Debian systems I had to manually compile libdumbnet (the package provided in the official apt repositories didn't seem to work, Net-Libdnet-0.92 didn't like it).

All I want is to get at the payload inside a TCP segment. Is there any alternative ?
Thank you.

P.S. Would it be really really bad (read "thedailywtf.com worthy") if I just took the packet and searched it for some pattern ?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

心作怪 2024-10-13 18:40:38

我最近用 C 语言编写了一个 PCAP 转储文件解包器,然后希望我只使用开源库(当我意识到它们存在并且非常易于使用时)。我不得不说,由于它是一种二进制文件格式,因此用 C 语言可能比用 Perl 更容易实现,但毫无疑问我会受到所有 Perl 狂热分子的嘘声。

我要说的是,使用现有代码比自己编码要快,但如果您真的想要,文件格式可以在线免费获得,而且非常简单。

至于寻找模式,几乎肯定是行不通的。它是一种二进制文件格式,数据包可以分段和/或重复,因此了解消息开始和结束位置的唯一可靠方法是解包标头、检查数据包标志、读取内容长度字段等。进行模式搜索可能在 90% 的情况下有效,但在某些时候您会发现数据包捕获日志,这意味着您需要更改代码。然后过了一会儿,发现另一个数据包,这意味着另一个变化,依此类推。

I recently wrote a PCAP dump file unpacker in C and then afterwards wished I'd just used the open source libraries instead (when I realised they existed and were so easy to use). I have to say that as it's a binary file format it's probably easier to do in C than Perl, but I'll no doubt get boo'ed by all the Perl fanatics out there.

What I will say is that using existing code will be quicker all round than coding it yourself, but if you really really want to, the file format is freely available online and is really quite simple.

As for searching for a pattern, it almost certainly won't work. It's a binary file format and the packets can be fragmented and/or duplicated, so the only reliable way to know where a message starts and ends is by unpacking the headers, checking the packet flags, reading the content length field, etc. etc. Doing pattern searches may work 90% of the time, but at some point you'll find a packet capture log that means you need to change your code. And then a while later find another packet that means another change, and so on and so forth.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文