NAME
Net::Pcap::Reassemble - IP fragment reassembly for Net::Pcap
SYNOPSIS
use Net::Pcap::Reassemble;
my $pcap_t = Net::Pcap::open_offline($opt_p, \$err);
if (!defined($pcap_t)) {
print STDERR "Net::Pcap::open_offline returned error: $err\n";
exit 1;
}
Net::Pcap::Reassemble::loop($pcap_t, -1, \&callback, "user data");DESCRIPTION
This module performs reassembly of fragmented datagrams in libpcap packet capture data returned by the Net::Pcap loop() function. This module supports reassembly of IPv4 and IPv6 fragments.
FUNCTIONS
- loop($pcap, $count, \&callback, $user_data)
-
The
loop()function in Net::Pcap::Reassemble is intended as a seamless wrapper around the same function from Net::Pcap and as such it takes the same arguments. Net::Pcap::Reassemble, however, will only invoke the&callbackfunction when it has a complete packet.The module will print debug information to stdout (mainly packet header values) if the
$debugvariable in the package namespace evaluates to true:$Net::Pcap::Reassemble::debug = 1;Layer 2 header data (typically an ethernet header) will be omitted from the packet supplied to the callback function if the
$stripl2variable in the package namespace evaluates to true:$Net::Pcap::Reassemble::stripl2 = 1; - flush()
-
The
flush()function destroys the data structures storing any incomplete datagrams. This function can be called afterloop()has returned to release memory used by the fragments of incomplete datagrams (assuming your program continues executing after theloop()finishes).
OBJECTS
Data is represented internally using Net::Pcap::Reassemble::Packet and Net::Pcap::Reassemble::Fragment class objects.
- Net::Pcap::Reassemble::Packet
-
Each `Packet' object represents a complete captured packet and contains:
An ID: 'srcip dstip IPid protocol' for IPv4; 'srcip dstip IPid' for IPv6
A list of
Net::Pcap::Reassemble::Fragmentobject referencesThe final octet, learned from the packet with MF==0
A flag to indicate if the fragment list is sorted
It has class functions to add a fragment to the Packet (
addfragment()), return a string with information on the fragments received so far (listfragments()), and to test whether a datagram is complete and return its data if it is (iscomplete()). - Net::Pcap::Reassemble::Fragment
-
Each `Fragment' object represents an IP datagram fragment and contains:
Start octet
End octet
(M)ore (F)ragments flag (`MF' in IPv4; `M' in IPv6)
Payload data
It has class functions to return the data above (
start(),end(),mf()anddata()), and a summary string for debugging (vitals()).
SEE ALSO
BUGS
Stale fragments are not aged out of the pending fragment list. We could look at the pcap header for the capture time of each packet and age out based on that.
This module offers no resistance against fragment overlap attacks, and other such malarky.
loop() should accept an optional anonymous hash reference for option passing.
Incomplete datagrams are left in limbo. Should be able to signal via an option that the callback be invoked for individual fragments aswell as the complete datagram.
The IP header in the packet supplied to the callback is from the first datagram. Length and checksum values will be incorrect with respect to the reassembled datagram that the callback sees. The layer 2 header, if present, will be from the last datagram to be captured.
LICENSE
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself. (Being a speaker of British english, I'd call it a "licence" though)
AUTHOR
James Raftery <james@now.ie>.