信息来源:
www.hk20.com
The Perl script presented here parse MSN Messenger message packets or P2P traffic and displays their contents. The script uses PCap to capture and parse the packets. The tool can be modified to parse other headers like 'TypingUser:'
Example usage:
To capture live traffic from device eth0 run:
msndump.pl -i eth0
To capture from tcpdump traffic.pcap file run:
msndump.pl -r traffic.pcap
Source Code:
复制内容到剪贴板
代码:
#!/usr/bin/perl -w
# quick dirty msn sniffer
# [url]http://miscname.com/[/url]
# $Id: msndump.pl,v 1.3 2004/11/17 10:00:33 meh Exp $
# you need Net::Pcap and Net::Packet
# use cpan or get manually
# [url]http://search.cpan.org/CPAN/authors/id/A/AT/ATRAK/NetPacket-0.04.tar.gz[/url]
# [url]http://search.cpan.org/CPAN/authors/id/K/KC/KCARNUT/Net-Pcap-0.05.tar.gz[/url]
my $lowuid='1001';
my $lowgid='1001';
my $filter = 'tcp and port 1863';
# no modify below
use Getopt::Std;
use Net::Pcap;
use NetPacket::IP;
use NetPacket::Ethernet qw (:strip);
use Fcntl;
$|=1;
my $flags |= O_NONBLOCK;
my %opts;
getopt("wicr",\%opts);
if ( (!($opts{i})) && (!($opts{r})) ) {
print "[ msndump - miscname.com ]\n Usage:\n\t-i rl0 || -r file.pcap\n\t-c X - capture X packets\n\t-w freshIMz.txt\n\n";
exit;
}
if ((!$opts{r}) && ($> != '0')) {
die ("you need uid 0\n");
}
# main loop
my $exitvar = '0';
while ($exitvar == '0') {
# create pcap
my $pcap = &cap_pkt;
if (!($pcap)) {
die ("cant capture\n");
}
# drop privs
my $GID="$lowgid";
my $UID="$lowuid";
my $EGID="$lowgid $lowgid";
# -w if set
if ($opts{w}) {
open (FILEOUT,">$opts{w}") || die ("cant open $opts{w} ($!)\n");
fcntl(FILEOUT, F_SETFL, $flags) or die ("couldn't set nonblock for $opts{w} ($!)\n");
}
# capture loop
if (($opts{c}) && ($opts{c} =~ /(\d+)/)) {
print "stopping after $1 packets\n";
Net::Pcap::loop($pcap, $1, \&proc_pkt, 0);
$exitvar = '1';
} else {
Net::Pcap::loop($pcap, -1, \&proc_pkt, 0);
my %stats;
Net::Pcap::stats($pcap, \%stats);
print "saw $stats{ps_recv} packets, dropped $stats{ps_drop}\n";
}
# free it
print "cleaning up\n";
Net::Pcap::close($pcap);
# close fh
if ($opts{w}) {
print "wrote $opts{w}.\n";
close FILEOUT;
}
}
# sub procs below
sub cap_pkt {
my ($pcap,$dev,$err,$mask,$net,$filter2);
my $snaplen = 14096; # seen some big im's :(
my $promisc = 1; # promisc of course
my $timeout = 0; # timeout
# file.pcap?
if ($opts{r}) {
print "reading from '$opts{r}'\n";
$pcap = Net::Pcap::open_offline($opts{r}, \$err);
if (!($pcap)) {
die("error opening $opts{r} ($err)\n");
}
} else {
# set dev from cmdline
$dev = $opts{i};
print "dumping on '$opts{i}'\n";
# get netmask for filter
if ((Net::Pcap::lookupnet($dev, \$net, \$mask, \$err)) == -1 ) {
die ("Net::Pcap::lookupnet failed ($err)\n");
}
# open it
$pcap = Net::Pcap::open_live($dev, $snaplen, $promisc, $timeout, \$err);
if (!($pcap)) {
die ("can't create packet fd ($err)\n");
}
}
# sanity check
if (!($pcap)) {
die ("sanity check failed - \$pcap null\n");
} elsif (!($mask)) {
$mask = '0'; # for open_offline
}
# make filter struct
if (Net::Pcap::compile($pcap, \$filter2, $filter, 1, $mask) != '0') {
die ("broken filter ($filter)\n");
}
# apply
Net::Pcap::setfilter($pcap, $filter2);
return $pcap;
}
sub proc_pkt {
my($user_data, $hdr, $pkt) = @_;
my ($user,$msg);
my $ip_obj = NetPacket::IP->decode(eth_strip($pkt));
#my $ip_obj = NetPacket::IP::strip($pkt);
# check if its a message (or a p2p file transfer)
# if your reading this, include 'P2P-Dest:' in your message body to avoid sniffer ;)
if (($ip_obj->{data} !~ /MSG/m) || ($ip_obj->{data} =~ /P2P-Dest:/m)) {
;
} else {
print $ip_obj->{data};
# extract goodies
if ( (($ip_obj->{data} =~ /MSG (.*)\@(.*)/)) || (($ip_obj->{data} =~ /P4-Context: (.*)/)) ) {
$user = "$1\@$2";
}
if ($ip_obj->{data} =~ /X-MMS-IM-Format:\s.*\r(.*)/s) { #\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;(.*)/m) {
$msg = $1;
}
# display if we have both
if (($user) || ($msg))
{
if(!$user)
{
$user = "unknown user";
}
if (!($opts{w})) {
print "\n----------------------------------------------------\n";
print "src_ip($ip_obj->{src_ip}) dst_ip($ip_obj->{dest_ip})\n";
print "TO/FROM: $user\nMESSAGE:\n$msg\n";
} else {
print FILEOUT "\n----------------------------------------------------\n";
print FILEOUT "src_ip($ip_obj->{src_ip}) dst_ip($ip_obj->{dest_ip})\n";
print FILEOUT "TO/FROM: $user\nMESSAGE: \n$msg\n\n";
}
}
}
}
#e0f
