:begin

Net::Inspect
Steffen Ullrich, GeNUA mbH
Deutscher Perl-Workshop 2012, Erlangen

about:me

Hintergrund

Design Überblick

Push statt Pull

Input/Output auf jeder Ebene

robuste HTTP-Verarbeitung

Design Details

   my $http = Net::Inspect::L7::HTTP->new(...);
   my $tcp  = Net::Inspect::L4::TCP->new($http);
   my $ip   = Net::Inspect::L3::IP->new($tcp);
   my $pkts = Net::Inspect::L2::Pcap->new($pcap,$ip);
   
   pcap_loop($pcap,-1,sub {
     my (undef,$hdr,$data) = @_;
     return $pkts->pktin($data,$hdr);
   });

L2::Pcap

L3::IP

L4:TCP

L4::UDP

L5::GuessProtocol

   my $http = Net::Inspect::L7::HTTP->new(...);
   my $fallback = Net::Inspect::L5::Unknown->new(...);
   my $empty = Net::Inspect::L5::NoData->new;
   my $l5 = Net::Inspect::L5::GuessProtocol->new();
   $l5->attach($http);
   $l5->attach($unknown);
   $l5->attach($empty);

L7::HTTP

L7::HTTP::Request::InspectChain

existente Anwendungen

tcpudpflow

httpflow

http_inspection_proxy

http_inspection_proxy - Ideen

weitere Ideen

Beispiel rtpxtract

Layers zusammenstöpseln

    my $sip = SIPXTract->new;
    my $udp = Net::Inspect::L4::UDP->new($sip);
    my $raw = Net::Inspect::L3::IP->new($udp);
    my $pc  = Net::Inspect::L2::Pcap->new($pcap,$raw);

SIP Pakete erkennen

    # extract SDP data 
    my $pkt = eval { Net::SIP::Packet->new($data) } 
        or return;
    my $sdp = eval { $pkt->sdp_body } or return;
    my @media = $sdp->get_media or return;

IP und Port für Medien merken

    my %rtp;
    ...
    # save media info in %rtp
    for(@media) {
        $rtp{ $_->{addr},$_->{port} } = $_;
    }

und wenn Daten kommen Connection erstellen

    package SIPXTract;
    my %rtp;
    sub pktin {
       my ($self,$data,$meta) = @_;
       my $m = delete $rtp{ $meta->{daddr},$meta->{dport} };
       if ($m) {
          # make connection
          my $s = SIPXTract::RTPStream->new($meta,$m);
          $s->pktin(0,$data,$meta->{time});
          return $s;
       }
    
       .. extract SIP+SDP data
       .. save media info in %rtp
       return; # no connection for SIP packets
    }

und dort RTP Daten sichern

    package SIPXTract::RTPStream;
    use base 'Net::Inspect::Connection';
    ...
    sub pktin {
        my ($self,$dir,$data,$time) = @_;
        $self->{expire} = $time + 30; # short expire
        ..create file
        ..extract RTP payload
        ..save
    }

pcap mainloop

    my $time;
    pcap_loop($pcap,-1,sub {
        my (undef,$hdr,$data) = @_;
        if ( ! $time || $hdr->{tv_sec}-$time>10 ) {
            $udp->expire($time = $hdr->{tv_sec});
        }
        return $pc->pktin($data,$hdr);
    },undef);

ähnliche Module

Net::Analysis

Sniffer::HTTP (Corion)

Net::Sharktools

weitere Networkanalysetools

related