strange ethereal question
Gerald Combs
gerald at ethereal.com
Thu Jun 12 18:48:28 CDT 2003
On Thu, 12 Jun 2003, Frank Wiles wrote:
> .------[ Gerald Combs wrote (2003/06/12 at 11:31:48) ]------
> |
> | On Thu, 12 Jun 2003, Frank Wiles wrote:
> |
> | > As it turns out it is the raw TCP/IP packet encapsulated in a UDP
> | > packet with 4 bytes of some type of tracking info on the front of
> | > it.
> |
> | What IOS command(s) did you use to enable this feature, if I may ask?
> |
> `-------------------------------------------------
>
> Our network engineer used the cable intercept commands that are
> detailed on this page:
>
> http://www.cisco.com/univercd/cc/td/doc/product/cable/cab_rout/cmtsfg/ufg_cmon.htm
I think the most straightforward method would be to use Net::Pcap. My
Perl is a bit rusty, but it would look something like this:
use Net::Pcap;
use Time::HiRes qw(gettimeofday);
# $dumpfile can be "-" for stdout
# DLT_EN10MB _should_ be the data link type we want. If it's DOCSIS,
# additional code may be required.
$pcap_dumper_t = Net::Pcap::dump_open(DLT_EN10MB, $dumpfile);
...
# Open "SOCKET" and listen
...
while ($enc_pkt = <SOCKET>) {
($sec, $usec) = gettimeofday(); # Required for the packet header
$packet = substring($enc_pkt, 4); # Skip the ID
$header{len} = length($packet); # Fill in our header
$header{caplen} = length($packet);
$header{tv_sec} = $sec;
$header{tv_usec} = $usec;
Net::Pcap::dump($pcap_dumper_t, %header, $packet); # Dump our packet
}
Net::Pcap::dump_close($pcap_dumper_t);
More information about the Kclug
mailing list