NAME
Net::Analysis - Modules for analysing network traffic
SYNOPSIS
Using a builtin analyser:
$ perl -MNet::Analysis -e main help
$ perl -MNet::Analysis -e main TCP,v=1 dump.tcp - basic TCP info
$ perl -MNet::Analysis -e main HTTP,v=1 dump.tcp - HTTP stuff
Writing your own analyser:
package MyExample;
use base qw(Net::Analysis::Listener::Base);
# Listen to events from other modules
sub tcp_monologue {
my ($self, $args) = @_;
my ($mono) = $args->{monologue};
my $t = $mono->t_elapsed()->as_number();
my $l = $mono->length();
# Emit your own event
$self->emit(name => 'example_event',
args => { kb_sec => ($t) ? $l/($t*1024) : 'N/A' }
);
}
# Process your own event
sub example_event {
my ($self, $args) = @_;
printf "Bandwidth: %10.2f KB/sec\n", $args->{kb_sec};
}
1;
ABSTRACT
Net::Analysis is a suite of modules that parse tcpdump files, reconstruct TCP sessions from the packets, and provide a very lightweight framework for writing protocol anaylsers.
DESCRIPTION
I wanted a batch version of Ethereal in Perl, so I could:
sift through parsed protocols with structured filters
write custom reports that mixed events from multiple protocols
So here it is. Net::Analysis is a stack of protocol handlers that emit, and listen for, events.
At the bottom level, a combination of Net::Pcap and NetPacket emit tcp_packet
events as they are read from the input file.
The TCP listener (Net::Analysis::Listener::TCP) picks up these packets, and reconstructs TCP streams; in turn, it emits tcp_monologue
events. A monologue is a series of bytes sent in one direction in a TCP stream; a typical TCP session will involve a number of monologues, back and forth.
For example, a typical TCP session for HTTP will consist of two monologues; the request (client to server), and then the reponse (server to client). Although if you have HTTP KeepAlive/pipelining on, then you may see multiple requests in the same TCP session. A typical SMTP session will involve a rapid sequence of small monologues as the sender talks SMTP, before sending the bulk of the (hopefully not bulk) email.
The protocol analysers tend to listen for the tcp_monologue
event and build from there. For example, the HTTP listener (Net::Analysis::Listener::HTTP) listens for tcp_monologues
, pairs them up, creates HTTP::Request
and HTTP::Response
objects for them, and emits http_transaction
events.
If you wanted to sift for transactions to a certain website, this is the event you'd listen for:
package NoseyParker;
use base qw(Net::Analysis::Listener::Base);
# Listen for HTTP things
sub http_transaction {
my ($self, $args) = @_;
my ($http_req) = $args->{req}; # $args documented in Listener::HTTP.pm
# Check our HTTP::Request object ...
if ($http_req->uri() =~ /cpan.org/) {
print "Perl fan !\n";
}
}
Each event can set up whichever arguments it wants to. These are documented in the module that emits the event. By convention, the event name is prefixed by the protocol name (e.g. tcp_session_start
, http_transaction
).
The events emitted by this base distribution are:
tcp_session_start
- session established, provides socketpairtcp_session_end
tcp_packet
- might be out of order, or a duplicatetcp_monologue
- the packets glued togetherhttp_transaction
- a request and its response
See the Net::Analysis::Listener::HTTPClientPerf module for a listener which builds on the HTTP listener to create some pretty graphics.
Or the Net::Analysis::Listener::Corba module for one that builds on the TCP monologues to provide some profiling info on Corba requests.
If you want to write your own listener, the Example one should get you started, or the HTTP one is a good one to clone.
Finally, look at the main()
method in Net::Analysis to see how to setup and invoke all the listeners in your own scripts.
TODO
Reliability - to date, only used by me. Exposure to weirder data needed !
Performance - this suite is not suitable for real-time analysis of servers.
UDP support
Other handy protocols - DNS, SMTP, ...
Move event loop and dispatching to POE ?
Move TCP reassembly to Net::LibNIDS ?
SEE ALSO
Net::Anaylsis::Listener::Example, Net::Anaylsis::Listener::HTTPClientPerf, Net::Anaylsis::Listener::Corba, Net::Pcap, NetPacket.
AUTHOR
A. B. Worrall, <worrall@cpan.org>
Please report any bugs via http://rt.cpan.org.
COPYRIGHT AND LICENSE
Copyright (C) 2005 by A. B. Worrall
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.6 or, at your option, any later version of Perl 5 you may have available.