.------[ Gerald Combs wrote (2003/06/10 at 17:05:56) ]------ | | On Tue, 10 Jun 2003, Frank Wiles wrote: | | > I have a bit of a strange situation. I have a Cisco router that is | > sending me a complete copy of a certain MAC addresses' IP traffic. | > The traffic is encapsulated in a UDP packet and sent to a specific | > port on one of my servers. | | Could you be a bit more specific about how and what type of data is being | delivered from the router to your machine? E.g. is it ACL logging info | (and therefore Syslog)? Is it NetFlow? RMON? One of the many forms of | tunneling? Some other feature or protocol I'm missing? | | Also, is the encapsulated data in its original binary form (and if so, are | any layers stripped off?), or is it some sort of hexadecimal or text | representation? As it turns out it is the raw TCP/IP packet encapsulated in a UDP packet with 4 bytes of some type of tracking info on the front of it. | > My ultimate goal is to be able to isolate the HTTP traffic and pull | > out all sites and URLs visited by this host. I was told that | > ethereal was probably my best bet at not having to write code to | > decode the HTTP packets. | > | > The problem is, ethereal only sees it as a bunch of UDP packets. I | > tried redirecting the raw stream to ethereal's STDIN, but it only | > wants libpcap formatted files via pipes or files. | > | > I keep running into the fact that my little Perl UDP server running | > on port 3000 isn't a real network device. | > | > Any ideas on how I can fake ethereal into taking the raw stream, | > fake the stream into a device, or output the stream in libpcap | > format? | | It depends. If data being delivered to port 3000 contains raw, binary | encapsulated data you could strip of the header up to the encapsulated | data and dump it out to libpcap format using the Net::Pcap module. You | could also dump it out to hex-formatted text and use Ethereals text2pcap | utility to convert it. If you're daring you could add support for the | encapsulation to Ethereal. Instructions are in doc/README.developer in | the source distribution. | | If the data contains hexadecimal-formatted data you would need to parse it | and use one of the above methods to dump the data. | | If it's NetFlow data, you can have Ethereal recognize it by going to | Edit->Preferences->Protocols->CFLOW and entering port 3000. You're out of | luck on URL parsing, however, since NetFlow data doesn't deliver the | contents of TCP packets, just bits of header data. I looked into using Net::Pcap, but it appeared to only take input form a network device and didn't appear to allow me to just hand it a packet for encoding into pcap format. I'll look into saving it out as hex formatted text. Thanks for you help on this. --------------------------------- Frank Wiles http://frank.wiles.org ---------------------------------