packetrain

Homepage

Packetrain is a simple network protocol analyzer.

Download:
   
Binary packetrain.rar                 MD5:349DC3847B329FB625C485DB3E6586B
    Source packetrain.pl                  MD5:2F003BB1BD8D6F7F6FBBC774CEA84A2

一、环境与所需模块:

OS      - Windows XP
Perl  - ActiveState Perl 5.8.6
WinPcap -
http://www.winpcap.org/install/bin/WinPcap_3_1.exe
Modules
    C:\>ppm install NetPacket
    C:\>ppm install
http://www.bribes.org/perl/ppm/Net-Pcap.ppd
    C:\>ppm install http://www.bribes.org/perl/ppm/Net-PcapUtils.ppd

二、特点:

    列出当前支持的设备;
    支持ARP、PPP、IP、ICMP、TCP、UDP协议;
    Pretty-table格式化输出;
    支持对协议内字段设置过滤条件,如ARP、IP、TCP、UDP包头的某些字段,详见帮助
    支持对HTTP请求与响应、Telnet流量的解析;
    Ctrl-C可终止和继续抓包进程;
    终止前答应抓包统计信息;

二、参数说明:

D:\Perl\scripts\Packetrain>packetrain.pl -h

    >>packetrain, v0.3
        -?|-h|--help        print help
        -l|--list_device    list supported device                 #列出当前设备
 
       -v|--verbose        print more information                #显示更多信息(帧头、HTTP解析)
        -P|--promisc        enable promisc mode, default          #开启混杂模式
        -n|--counter        capture counter                       #指定抓包个数
        -T|--pretty         enable pretty-table mode              #启用pretty-table输出模式
        -D|--device         select device                         #指定抓包设备
        -e|--eth_type       eth_type, 'arp'|'ip'(default)         #指定包的三层类型,arp或ip
        -i|--ip_proto       ip_proto, 'icmp'|'udp'|'tcp'(default) #指定包的四层类型,icmp或tcp或udp
           --arp_spa        ARP, source protocol address          #指定ARP包的源协议地址
           --arp_tpa        ARP, target protocol address          #指定ARP包的目的协议地址
           --arp_pa         ARP, src/target protocol address
           --arp_opc        ARP, opcode, '1'(Request)|'2'(Reply)  #指定ARP操作码类型
        -s|--src_ip         IP, source ip                         #指定IP包的源地址
        -d|--dest_ip        IP, destination ip                    #指定IP包的目的地址
           --host           IP, src/dest ip                       #指定IP地址(源或目的)
           --icmp_type      ICMP, icmp type                       #指定ICMP类型
           --src_port       TCP/UDP, source port                  #指定源端口
           --dest_port      TCP/UDP, destination port             #指定目的端口
        -p|--port           TCP/UDP, src/dest port                #指定端口(源或目的)

                by shanleiguang@gmail.com, 2006/09


三、举例:

(1)、列出当前设备

D:\Perl\scripts\Packetrain>packetrain.pl -l
    +-----------------------------------------------------------------------------------+
    | List Devices                                                                      |
    +---+------+------------------------------------------------------------------------+
    | 1 | dev  | \Device\NPF_GenericDialupAdapter                                       |
    +---+------+------------------------------------------------------------------------+
    |   | desc | Generic dialup adapter                                                 |
    +---+------+------------------------------------------------------------------------+
    | 2 | dev  | \Device\NPF_{36254CA0-14DC-41C7-B672-42144DA11C41}                     |
    +---+------+------------------------------------------------------------------------+
    |   | desc | Intel(R) PRO/100 VE Network Connection (Microsoft's Packet Scheduler)  |
    +---+------+------------------------------------------------------------------------+
    | 3 | dev  | \Device\NPF_{27557047-6486-4E3E-A6AB-E79A570BE2AC}                     |
    +---+------+------------------------------------------------------------------------+
    |   | desc | NOC Extranet Access Adapter (Microsoft's Packet Scheduler)             |
    +---+------+------------------------------------------------------------------------+

(2)、抓ARP包

D:\Perl\scripts\Packetrain>packetrain.pl -PTD 2 -e arp
    +-----------------------------------------------------------------------------------+
    | List Devices                                                                      |
    +---+------+------------------------------------------------------------------------+
    | 2 | dev  | \Device\NPF_{36254CA0-14DC-41C7-B672-42144DA11C41}                     |
    +---+------+------------------------------------------------------------------------+
    |   | desc | Intel(R) PRO/100 VE Network Connection (Microsoft's Packet Scheduler)  |
    +---+------+------------------------------------------------------------------------+

2006/09/22 16:11:46 , packets rain ...

=No.0===========================================================================
    +----------------------------------------------------------+
    | ARP Packet                                               |
    +--------+-----------------------+-----+-------------------+
    | sha    | 08:00:46:cd:de:a3     | tha | 00:00:00:00:00:00 |
    +--------+-----------------------+-----+-------------------+
    | spa    | xxx.xxx.x.xx          | tpa | xxx.xxx.x.xx      |
    +--------+-----------------------+-----+-------------------+
    | opcode | 1(ARP_OPCODE_REQUEST) | -   | -                 |
    +--------+-----------------------+-----+-------------------+
=No.1===========================================================================
    +--------------------------------------------------------+
    | ARP Packet                                             |
    +--------+---------------------+-----+-------------------+
    | sha    | 00:11:f9:c8:59:f1   | tha | 08:00:46:cd:de:a3 |
    +--------+---------------------+-----+-------------------+
    | spa    | xxx.xxx.x.xx        | tpa | xxx.xxx.x.xx      |
    +--------+---------------------+-----+-------------------+
    | opcode | 2(ARP_OPCODE_REPLY) | -   | -                 |
    +--------+---------------------+-----+-------------------+

...

(3)、抓ICMP包

D:\Perl\scripts\Packetrain>packetrain.pl -PTD 2 -e ip -i icmp

(3)、抓到某个IP地址的TCP包

D:\Perl\scripts\Packetrain>packetrain.pl -PD 2 -i tcp -d x.x.x.x -p 23

(4)、解析HTTP、Telnet协议

D:\Perl\perl2exe>packetrain.exe -n 3 -vPTD 2 --dest_port 80
    +-----------------------------------------------------------------------------------+
    | List Devices                                                                      |
    +---+------+------------------------------------------------------------------------+
    | 2 | dev  | \Device\NPF_{36254CA0-14DC-41C7-B672-42144DA11C41}                     |
    +---+------+------------------------------------------------------------------------+
    |   | desc | Intel(R) PRO/100 VE Network Connection (Microsoft's Packet Scheduler)  |
    +---+------+------------------------------------------------------------------------+

2006/09/22 17:17:03 , packets rain ...

=No.0===========================================================================
    +----------------------------------------------+
    | Ethernet Frame Header                        |
    +-------------------+-------------------+------+
    | src_mac           | dest_mac          | type |
    +-------------------+-------------------+------+
    | 00:00:85:45:e0:fc | 00:00:de:a3:80:04 | 2048 |
    +-------------------+-------------------+------+
    +--------------------------------------------------+
    | IP Header                                        |
    +--------+--------------+---------+----------------+
    | ver    | 4            | hlen    | 5              |
    +--------+--------------+---------+----------------+
    | tos    | 0            | len     | 48             |
    +--------+--------------+---------+----------------+
    | flags  | 2            | foffset | 0              |
    +--------+--------------+---------+----------------+
    | id     | 46978        | ttl     | 128            |
    +--------+--------------+---------+----------------+
    | src_ip | xxx.xxx.x.xx | dest_ip | 64.233.189.104 |
    +--------+--------------+---------+----------------+
    | proto  | 6            | cksum   | 27949          |
    +--------+--------------+---------+----------------+
   
+------------------------------------------+
    | TCP Header                               |
    +----------+-----------+-----------+-------+
    | src_port | 2667      | dest_port | 80    |
    +----------+-----------+-----------+-------+
    | seqnum   | 533915311 | acknum    | 0     |
    +----------+-----------+-----------+-------+
    | hlen     | 7         | reserved  | 0     |
    +----------+-----------+-----------+-------+
    | flags    | SYN       | winsize   | 65535 |
    +----------+-----------+-----------+-------+
=No.1===========================================================================
    +----------------------------------------------+
    | Ethernet Frame Header                        |
    +-------------------+-------------------+------+
    | src_mac           | dest_mac          | type |
    +-------------------+-------------------+------+
    | 00:00:85:45:e0:fc | 00:00:de:a3:80:04 | 2048 |
    +-------------------+-------------------+------+
    +--------------------------------------------------+
    | IP Header                                        |
    +--------+--------------+---------+----------------+
    | ver    | 4            | hlen    | 5              |
    +--------+--------------+---------+----------------+
    | tos    | 0            | len     | 40             |
    +--------+--------------+---------+----------------+
    | flags  | 2            | foffset | 0              |
    +--------+--------------+---------+----------------+
    | id     | 47001        | ttl     | 128            |
    +--------+--------------+---------+----------------+
    | src_ip | xxx.xxx.x.xx | dest_ip | 64.233.189.104 |
    +--------+--------------+---------+----------------+
    | proto  | 6            | cksum   | 27934          |
    +--------+--------------+---------+----------------+
   
+-----------------------------------------------+
    | TCP Header                                    |
    +----------+-----------+-----------+------------+
    | src_port | 2667      | dest_port | 80         |
    +----------+-----------+-----------+------------+
    | seqnum   | 533915312 | acknum    | 3435226945 |
    +----------+-----------+-----------+------------+
    | hlen     | 5         | reserved  | 0          |
    +----------+-----------+-----------+------------+
    | flags    | ACK       | winsize   | 65535      |
    +----------+-----------+-----------+------------+
=No.2===========================================================================
    +----------------------------------------------+
    | Ethernet Frame Header                        |
    +-------------------+-------------------+------+
    | src_mac           | dest_mac          | type |
    +-------------------+-------------------+------+
    | 00:00:85:45:e0:fc | 00:00:de:a3:80:04 | 2048 |
    +-------------------+-------------------+------+
    +--------------------------------------------------+
    | IP Header                                        |
    +--------+--------------+---------+----------------+
    | ver    | 4            | hlen    | 5              |
    +--------+--------------+---------+----------------+
    | tos    | 0            | len     | 768            |
    +--------+--------------+---------+----------------+
    | flags  | 2            | foffset | 0              |
    +--------+--------------+---------+----------------+
    | id     | 47012        | ttl     | 128            |
    +--------+--------------+---------+----------------+
    | src_ip | 211.138.4.60 | dest_ip | 64.233.189.104 |
    +--------+--------------+---------+----------------+
    | proto  | 6            | cksum   | 27195          |
    +--------+--------------+---------+----------------+
    +-----------------------------------------------+
    | TCP Header                                    |
    +----------+-----------+-----------+------------+
    | src_port | 2667      | dest_port | 80         |
    +----------+-----------+-----------+------------+
    | seqnum   | 533915312 | acknum    | 3435226945 |
    +----------+-----------+-----------+------------+
    | hlen     | 5         | reserved  | 0          |
    +----------+-----------+-----------+------------+
    | flags    | ACK|PSH   | winsize   | 65535      |
    +----------+-----------+-----------+------------+
     GET / HTTP/1.1
     Connection: Keep-Alive
     Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, app
lication/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
     Accept-Encoding: gzip, deflate
     Accept-Language: en-us,zh-cn;q=0.5
     Host:
www.google.com
     User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; Google-TR-4)

     Cookie: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     UA-CPU: x86

... ...

D:\Perl\perl2exe>


2006/09/22