NAME
NetPacket::PFLog - Assembling and disassembling OpenBSD's Packet Filter log header.
VERSION
version 0.43.1
SYNOPSIS
use NetPacket::PFLog;
$pfl_obj = NetPacket::PFLog->decode($raw_pkt);
$pfl_pkt = NetPacket::PFLog->encode();
$pfl_data = NetPacket::PFLog::strip($raw_pkt);DESCRIPTION
NetPacket::PFLog provides a set of routines for assembling and disassembling the header attached to packets logged by OpenBSD's Packet Filter.
Methods
NetPacket::PFLog->decode([RAW PACKET])-
Decode the raw packet data given and return an object containing instance data. This method will quite happily decode garbage input. It is the responsibility of the programmer to ensure valid packet data is passed to this method.
NetPacket::PFLog->encode()-
Return a PFLog packet encoded with the instance data specified.
Functions
NetPacket::PFLog::strip([RAW PACKET])-
Return the actual packet logged by Packet Filter that the PFLog header is describing. This data is suitable to be used as input for other
NetPacket::*modules.This function is equivalent to creating an object using the
decode()constructor and returning thedatafield of that object.
Instance data
The instance data for the NetPacket::PFLog object consists of the following fields:
- len
-
The length of the pflog header.
- af
-
The Address Family which denotes if the packet is IPv4 or IPv6.
- action
-
The action (block, pass, or scrub) that was taken on the packet.
- reason
-
The reason that the action was taken.
- ifname
-
The name of the interface the packet was passing through.
- ruleset
-
The name of the subruleset that the matching rule is a member of. If the value is empty, the matching rule is in the main ruleset.
- rulenr
-
The rule number that the packet matched.
- subrulenr
-
The rule number in the subruleset that the packet matched. The value will be 2^32-1 if the packet matched in the main ruleset only.
- uid
-
The uid of the local process that generated the packet that was logged, if applicable.
- pid
-
The pid of the local process that generated the packet that was logged, if applicable.
- rule_uid
-
The uid of the process that inserted the rule that caused the packet to be logged.
- rule_pid
-
The pid of the process that inserted the rule that caused the packet to be logged.
- dir
-
The direction the packet was travelling through the interface.
- pad
-
Padding data.
- data
-
The actual IPv4 or IPv6 packet that was logged by Packet Filter.
Exports
- default
-
none
- exportable
-
Data Link Type:
DLT_PFLOGStrip function:
pflog_strip -
The following tags can be used to export certain items:
EXAMPLE
The following prints the action, direction, interface name, and reason:
#!/usr/bin/perl -w
use strict;
use Net::PcapUtils;
use NetPacket::PFLog;
sub process_pkt {
my ($user, $hdr, $pkt) = @_;
my $pfl_obj = NetPacket::PFLog->decode($pkt);
print("$pfl_obj->{action} $pfl_obj->{dir} ");
print("on $pfl_obj->{ifname} ($pfl_obj->{reason})\n");
}
Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip or ip6');TODO
Nothing at this time.
COPYRIGHT
Copyright (c) 2003-2009 Joel Knight <knight.joel@gmail.com>
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AUTHOR
Joel Knight <knight.joel@gmail.com>