NAME

Net::Inspect - library for inspection of data on various network layers

SYNOPSIS

    use Net::Pcap 'pcap_loop';
    use Net::Inspect::L2::Pcap;
    use Net::Inspect::L3::IP;
    use Net::Inspect::L4::TCP;
    use Net::Inspect::L7::HTTP;
    use Net::Inspect::L7::HTTP::Request::InspectChain;
    use Net::Inspect::Debug;

    my $pcap = Net::Pcap->new...
    ...
    my $l7 = Net::Inspect::L7::HTTP->new;
    my $l4 = Net::Inspect::L4::TCP->new($l7);
    my $l3 = Net::Inspect::L3::IP->new($l4);
    my $l2 = Net::Inspect::L2::Pcap->new($pcap,$l3);

    pcap_loop($pcap,-1,sub {
	my (undef,$hdr,$data) = @_;
	return $l2->pktin($data,$hdr);
    });

DESCRIPTION

The idea of Net::Inspect is to plug various layers of network inspection together to analyze data. This is kind of what wireshark or IDS do, exept this is in perl and therefore slower to execute but faster to develop and maybe more flexibel too.

One can start analysis on some level and stop it at any higher level. There are various useful tools in tools/ which make use of this library:

tcpflow

gets data from pcap file or does live capture and extracts tcp connections into separate files.

httpflow

gets data from pcap file or does live capture and extracts http requests into separate files. Does request unchunking and decompression. Works with persistant and with pipelined HTTP connections.

http_inspection_proxy

simple http(s) proxy with the ability to inspect and transform requests. Contrary to tcpflow and httpflow it starts analysis at the TCP layer, not at the pcap layer.

Because of non-blocking DNS lookups and connects and DNS caching the proxy is fast enough to be used in simple production setups. It can also store each http connections as a single pcap file for more analysis.

Currently the following modules are implemented:

Net::Inspect::L2::Pcap: reads from pcap layer
Net::Inspect::L3::IP: processes raw IP packets, does defragmentation.
Net::Inspect::L4::TCP: handles TCP connections, e.g. connection setup and shutdown and reordering of packets.
Net::Inspect::L4::UDP: handles UDP packets. Can aggregate udp packets in virtual connections.
Net::Inspect::L5::GuessProtocol: tries to guess the higher level protocol from TCP connections.
Net::Inspect::L7::HTTP: handles HTTP connections. Plugable into Net::Inspect::L5::GuessProtocol.
Net::Inspect::L5::Null: handles connections which don't transport any data. Plugable into Net::Inspect::L5::GuessProtocol.
Net::Inspect::L5::Unknown: used together with Net::Inspect::L5::GuessProtocol as a fallback if no other protocol handler matched.

BUGS

Probably still a lot. The HTTP part was tested with a lot of real-life traffic, so it should be kind of stable. There is currently no support for IPv6.

AUTHOR

Steffen Ullrich, <sullr@cpan.org>

COPYRIGHT

Copyright 2011-2013 Steffen Ullrich

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

To install Net::Inspect, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Net::Inspect

CPAN shell

perl -MCPAN -e shell
install Net::Inspect

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)