[NETFRAME] Net::Packet::Dump / Net::Frame::Dump::Online - Concurrent Simultaneous Capture Limit?

Brian Manning elspicyjack at gmail.com
Thu Jun 11 18:02:24 CEST 2009 

On Thu, Jun 11, 2009 at 6:09 AM, Darien Kindlund<darien at kindlund.com> wrote:
> Let's say you have this perl code running on a linux router that's
> networked to 50 other systems on a local Class-C subnet.  All network
> traffic from 50 systems go through your router.  As such, I'm trying
> to create individual .pcap files, based upon the source MAC addresses
> of each of the 50 systems.  More importantly, these .pcap files have
> to capture packets for a specific period of time -- so I can't just
> let the .pcap file grow indefinately.
>
> My other thought would be to simply create a single
> Net::Frame::Dump::Online session, and somehow register 50 different
> callback handlers, where each handler writes a different .pcap, based
> upon the source MAC address of one of the systems.  The great benefit
> of this approach is that we can reuse a single (long running) forked
> process.  However, the problems with this approach are:

Or capture the traffic via a straight tcpdump session and write it to
a pcap file, then process it offline.

> 2) It's not easy to filter by source MAC address from within perl,
> using the Net::Frame code (it's possible, but probably certainly
> slower than using libpcap's built in filters).

Yep, you'll be wanting to massage the data as much in tcpdump/libpcap
as possible.

> 3) Inside any of the callback code, even if we get a corresponding
> Net::Frame::Simple object, which holds our matching packet (based on
> source MAC address), it's not clear to me how I could easily write
> that packet out to a .pcap file using Net::Frame::Dump::Writer.

Maybe filter the master capture file using tcpdump into smaller files
that can be processed individually? (the 'capture and process offline'
idea above)

This is basically what I ended up doing for our network guys at $work;
they hand me pcap files of all of the traffic on a specific subnet,
and I got to filter it down so they could see the pattern of traffic
flow between the two hosts in the IP transaction.  My first try was to
show them all of the layer 3 and above traffic between hosts on that
subnet and everywhere else, but they said it was too much.  So I used
tcpdump to re-filter their pcap file so it only shows packets on that
subnet with the SYN flag set.  Works the charm.

Thanks,

Brian

Filter a set of pcap files via tcpdump to only show packets with the
SYN flag set

/usr/sbin/tcpdump -r $OLDSNIFF -w synonlysniffs/$NEWSNIFF
'tcp[tcpflags] & (tcp-syn|tcp-fin) !=0'

More information about the netframe mailing list