NAME

Socket::Packet - interface to Linux's PF_PACKET socket family

SYNOPSIS

use Socket qw( SOCK_RAW );
use Socket::Packet qw(
   PF_PACKET
   ETH_P_ALL
   pack_sockaddr_ll unpack_sockaddr_ll
);

socket( my $sock, PF_PACKET, SOCK_RAW, 0 )
   or die "Cannot socket() - $!\n";

bind( $sock, pack_sockaddr_ll( ETH_P_ALL, 0, 0, 0, "" ) )
   or die "Cannot bind() - $!\n";

while( my $addr = recv( $sock, my $packet, 8192, 0 ) ) {
   my ( $proto, $ifindex, $hatype, $pkttype, $addr )
      = unpack_sockaddr_ll( $addr );

   ...
}

DESCRIPTION

To quote packet(7):

Packet sockets are used to receive or send raw packets at the device driver
(OSI Layer 2) level. They allow the user to implement protocol modules in
user space on top of the physical layer.

Sockets in the PF_PACKET family get direct link-level access to the underlying hardware (i.e. Ethernet or similar). They are usually used to implement packet capturing, or sending of specially-constructed packets or to implement protocols the underlying kernel does not recognise.

The use of PF_PACKET sockets is usually restricted to privileged users only.

This module also provides various other support functions which wrap ioctl()s or socket options. This includes support for PACKET_RX_RING, the high-performance zero-copy packet receive buffering, if the underlying platform supports it.

CONSTANTS

The following constants are exported

PF_PACKET: The packet family (for socket() calls)
AF_PACKET: The address family
PACKET_HOST: This packet is inbound unicast for this host.
PACKET_BROADCAST: This packet is inbound broadcast.
PACKET_MULTICAST: This packet is inbound multicast.
PACKET_OTHERHOST: This packet is inbound unicast for another host.
PACKET_OUTGOING: This packet is outbound.
ETH_P_ALL: Pseudo-protocol number to capture all protocols.
SOL_PACKET: Socket option level for getsockopt and setsockopt.

SOCKET OPTIONS

The following constants define socket options

PACKET_STATISTICS (get; struct tpacket_stats)

Packet received and drop counters.

PACKET_ORIGDEV (get or set; int)

Received packets will indicate the originally-received device, rather than the apparent one. This mainly relates to Ethernet bonding or VLANs.

This socket option is optional, and may not be provided on all platforms.

PACKET_ADD_MEMBERSHIP (set; struct packet_mreq)

PACKET_DROP_MEMBERSHIP (set; struct packet_mreq)

Membership of multicast or broadcast groups, or set promiscuous mode.

The packet_mreq type field should be one of the following:

PACKET_MR_MULTICAST: A multicast group
PACKET_MR_PROMISC: Set or clear the promiscuous flag; the address is ignored
PACKET_MR_ALLMULTI: Set or clear the allmulti flag; the address is ignored

FUNCTIONS

The following pair of functions operate on AF_PACKET address structures. The meanings of the parameters are:

protocol: An ethertype protocol number. When using an address with bind(), the constant ETH_P_ALL can be used instead, to capture any protocol. The pack_sockaddr_ll() and unpack_sockaddr_ll() functions byte-swap this value to or from network endian order.
ifindex: The index number of the interface on which the packet was sent or received. When using an address with bind(), the value 0 can be used instead, to watch all interfaces.
hatype: The hardware ARP type of hardware address.
pkttype: The type of the packet; indicates if it was sent or received. Will be one of the PACKET_* values.
addr: The underlying hardware address, in the type given by hatype.

pack_sockaddr_ll

$a = pack_sockaddr_ll( $protocol, $ifindex, $hatype, $pkttype, $addr )

Returns a sockaddr_ll structure with the fields packed into it.

unpack_sockaddr_ll

( $protocol, $ifindex, $hatype, $pkttype, $addr ) = unpack_sockaddr_ll( $a )

Takes a sockaddr_ll structure and returns the unpacked fields from it.

pack_packet_mreq

$mreq = pack_packet_mreq( $ifindex, $type, $addr )

Returns a packet_mreq structure with the fields packed into it.

unpack_packet_mreq

( $ifindex, $type, $addr ) = unpack_packet_mreq( $mreq )

Takes a packet_mreq structure and returns the unpacked fields from it.

unpack_tpacket_stats

( $packets, $drops ) = unpack_tpacket_stats( $stats )

Takes a tpacket_stats structure from the PACKET_STATISTICS sockopt and returns the unpacked fields from it.

siocgstamp

$time = siocgstamp( $sock )

( $sec, $usec ) = siocgstamp( $sock )

Returns the timestamp of the last received packet on the socket (as obtained by the SIOCGSTAMP ioctl). In scalar context, returns a single floating-point value in UNIX epoch seconds. In list context, returns the number of seconds, and the number of microseconds.

siocgstampns

$time = siocgstampns( $sock )

( $sec, $nsec ) = siocgstampns( $sock )

Returns the nanosecond-precise timestamp of the last received packet on the socket (as obtained by the SIOCGSTAMPNS ioctl). In scalar context, returns a single floating-point value in UNIX epoch seconds. In list context, returns the number of seconds, and the number of nanoseconds.

siocgifindex

$ifindex = siocgifindex( $sock, $ifname )

Returns the ifindex of the interface with the given name if one exists, or undef if not. $sock does not need to be a PF_PACKET socket, any socket handle will do.

siocgifname

$ifname = siocgifname( $sock, $ifindex )

Returns the ifname of the interface at the given index if one exists, or undef if not. $sock does not need to be a PF_PACKET socket, any socket handle will do.

recv_len

( $addr, $len ) = recv_len( $sock, $buffer, $maxlen, $flags )

Similar to Perl's recv builtin, except it returns the packet length as an explict return value. This may be useful if $flags contains the MSG_TRUNC flag, obtaining the true length of the packet on the wire, even if this is longer than the data written in the buffer.

RING-BUFFER FUNCTIONS

The following functions operate on the high-performance memory-mapped buffer feature of PF_PACKET, allowing efficient packet-capture applications to share a buffer with the kernel directly, avoiding the need for per-packet system calls to recv() (and possibly ioctl() to obtain the timestamp).

The ring-buffer is optional, and may not be implemented on all platforms. If it is not implemented, then all the following functions will die with an error message.

setup_rx_ring

$size = setup_rx_ring( $sock, $frame_size, $frame_nr, $block_size )

Sets up the ring-buffer on the socket. The buffer will store $frame_nr frames of up to $frame_size bytes each (including metadata headers), and will be split in the kernel in blocks of $block_size bytes. $block_size should be a power of 2, at minimum, 4KiB.

If successful, the overall size of the buffer in bytes is returned. If not, undef is returned, and $! will hold the error value.

get_ring_frame_status

$status = get_ring_frame_status( $sock )

Returns the frame status of the next frame in the ring.

The following constants are defined for the status:

TP_STATUS_KERNEL: This frame belongs to the kernel and userland should not touch it.
TP_STATUS_USER: This frame belongs to userland and the kernel will not modify it.
TP_STATUS_LOSING: Bitwise-or'ed with the status if packet loss has occurred since the previous frame.

get_ring_frame

$len = get_ring_frame( $sock, $buffer, \%info )

If the next frame is ready for userland, fills in keys of the %info hash with its metadata, sets $buffer to its contents, and return the length of the data. The $buffer variable has its string backing buffer aliased, rather than the buffer copied into, for performance. The caller should not modify the variable, nor attempt to access it after the socket has been closed.

If the frame is not yet ready, this function returns undef.

The following fields are returned:

tp_status: The status of the frame; see get_ring_frame_status()
tp_len: The length of the packet on the wire, in bytes
tp_snaplen: The length of the packet captured and stored in the buffer, in bytes. This may be shorter than tp_len if, for example, a filter is set on the socket that truncated the packet.
tp_sec
tp_nsec: The seconds and nanoseconds fields of the timestamp. If the underlying platform does not support TPACKET_V2, then this field will only have a resolution of microseconds; i.e. it will be a whole multiple of 1000.
tp_vlan_tci: VLAN information about the packet, if the underlying platform supports TPACKET_V2. If this is not supported, the key will not be present in the hash
sll_protocol
sll_ifindex
sll_hatype
sll_pkttype
sll_addr: Fields from the struct sockaddr_ll; see above for more detail

clear_ring_frame

clear_ring_frame( $sock )

Clears the status of current frame to hand it back to the kernel and moves on to the next.

AUTHOR

Paul Evans <leonerd@leonerd.org.uk>

To install Socket::Packet, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Socket::Packet

CPAN shell

perl -MCPAN -e shell
install Socket::Packet

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)