原文在http://www.perlmonks.org/index.pl?node_id=170648里,代码抄了一遍。
use Net::Pcap;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use strict;
my $err;
# Use network device passed in program argments or if no
# argument is passed, determine an appropriate network
# device fo packet sniffering using the
# Net::Pcap::lookupdev method
my $dev = $ARGV[0];
unless (defined $dev) {
my @devs = Net::Pcap::findalldevs(\$err);
if (defined $err) { die 'Unable to determine network device for monitoring - ', $err; }
if (length(@devs) == 2) { $dev = $devs[1]; }
else { $dev = $devs[0]; }
}
# Look up network address information about network
# device using Net::Pcap::lookupnet - This also acts as a
# check on bogus network device argument that may be
# passed to the progeam as an argument
my ($adress, $netmask);
if (Net::Pcap::lookupnet($dev, \$address, \$netmask, \$err)) {
die 'Unable to look up device information for ', $dev, ' - ', $err;
}
# Create packet capture object on device
my $object;
$object = Net::Pcap::open_live($dev, 1500, 0, 0, \$err);
unless (defined $object) {
die 'Unable to create packet capture on device ', $dev, ' - ', $err;
}
# Compile and set packet filter for packet capture
# object - For the capture of TCP packes with the SYN
# header falg set directed at the external interface of
# the local host, the packet filter of '(dst ip) && (tcp[13] & 2 != 0)'
# is used where IP is the IP address of
# the external interface of the machine, For
# illustrative purposes, the IP address of 127.0.0.1 is used in thsis example.
my $filter;
Net::Pcap::compile(
$object,
\$filter,
'(dst 127.0.0.1) && (tcp[13] & 2 != 0)',
0,
$netmask
) && die "Unable to compile packet capture filter";
Net::Pcap::setfilter($object, $filter) &&
die 'Unable to set packet capture filter';
# Set callback function and initialate packet capture loop
Net::Pcap::loop($object, -1, \&syn_packets, '') ||
die 'Unable to perform packet capture';
Net::Pcap::close($object);
sub syn_packets {
my ($user_data, $header, $packet) = @_;
# Strip ethernet encapsulation of captures packet
my $ether_data = NetPacket::Ethernet::strip($packet);
# Decode contents of TCP/IP packet contained within
# captured ethernet packet
my $ip = NetPacket::IP->decode($ether_data);
my $tcp = NetPacket::TCP->decode($ip->{'data'});
# Print all out where its coming from and where its going to!
print
$ip->{'src_ip'}, ":", $tcp->{'src_port'}, " -> ",
$ip->{'dest_ip'}, ":", $tcp->{'dest_port'}, "\n";
}