File Coverage

blib/lib/Net/Inspect.pm

Criterion	Covered	Total	%
statement	6	6	100.0
branch			n/a
condition			n/a
subroutine	2	2	100.0
pod			n/a
total	8	8	100.0

line	stmt	sub	time	code
1	1	1	379	use strict;
	1		2
	1		24
2	1	1	4	use warnings;
	1		1
	1		56
3				package Net::Inspect;
4
5				our $VERSION = "0.328";
6				1;
7
8
9				=head1 NAME
10
11				Net::Inspect - library for inspection of data on various network layers
12
13				=head1 SYNOPSIS
14
15				use Net::Pcap 'pcap_loop';
16				use Net::Inspect::L2::Pcap;
17				use Net::Inspect::L3::IP;
18				use Net::Inspect::L4::TCP;
19				use Net::Inspect::L7::HTTP;
20				use Net::Inspect::L7::HTTP::Request::InspectChain;
21				use Net::Inspect::Debug;
22
23				my $pcap = Net::Pcap->new...
24				...
25				my $l7 = Net::Inspect::L7::HTTP->new;
26				my $l4 = Net::Inspect::L4::TCP->new($l7);
27				my $l3 = Net::Inspect::L3::IP->new($l4);
28				my $l2 = Net::Inspect::L2::Pcap->new($pcap,$l3);
29
30				pcap_loop($pcap,-1,sub {
31				my (undef,$hdr,$data) = @_;
32				return $l2->pktin($data,$hdr);
33				});
34
35				=head1 DESCRIPTION
36
37				The idea of L is to plug various layers of network inspection
38				together to analyze data.
39				This is kind of what wireshark or IDS do, exept this is in perl and
40				therefore slower to execute but faster to develop and maybe more flexibel
41				too.
42
43				One can start analysis on some level and stop it at any higher level.
44				There are various useful tools in tools/ which make use of this library:
45
46				=over 4
47
48				=item tcpflow
49
50				gets data from pcap file or does live capture and extracts tcp connections
51				into separate files.
52
53				=item httpflow
54
55				gets data from pcap file or does live capture and extracts http requests
56				into separate files. Does request unchunking and decompression. Works with
57				persistant and with pipelined HTTP connections.
58
59				=item http_inspection_proxy
60
61				simple http(s) proxy with the ability to inspect and transform requests.
62				Contrary to L and L it starts analysis at the TCP
63				layer, not at the pcap layer.
64
65				Because of non-blocking DNS lookups and connects and DNS caching the proxy
66				is fast enough to be used in simple production setups. It can also store
67				each http connections as a single pcap file for more analysis.
68
69				=back
70
71				Currently the following modules are implemented:
72
73				=over 4
74
75				=item L
76
77				reads from pcap layer
78
79				=item L
80
81				processes raw IP packets, does defragmentation.
82
83				=item L
84
85				handles TCP connections, e.g. connection setup and shutdown and reordering
86				of packets.
87
88				=item L
89
90				handles UDP packets. Can aggregate udp packets in virtual connections.
91
92				=item L
93
94				tries to guess the higher level protocol from TCP connections.
95
96				=item L
97
98				handles HTTP connections. Plugable into L.
99
100				=item L
101
102				handles connections which don't transport any data.
103				Plugable into L.
104
105				=item L
106
107				used together with L as a fallback if no
108				other protocol handler matched.
109
110				=back
111
112				=head1 BUGS
113
114				Probably still a lot.
115				The HTTP part was tested with a lot of real-life traffic, so it should be
116				kind of stable. There is currently no support for IPv6.
117
118				=head1 SEE ALSO
119
120				L
121				L
122
123				=head1 AUTHOR
124
125				Steffen Ullrich,
126
127				=head1 COPYRIGHT
128
129				Copyright 2011-2013 Steffen Ullrich
130
131				This library is free software; you can redistribute it and/or modify it
132				under the same terms as Perl itself.