Sniffer::Connection - contain basic information about a TCP connection


  my $conn = Sniffer::Connection->new(
    tcp           => $packet,
    sent_data     => sub { $self->sent_data(@_) },
    received_data => sub { $self->received_data(@_) },
    closed        => sub {},
    teardown      => sub { $self->closed->($self) },
    log           => sub { print $_[0] },

This module will try to give you the ordered data stream from a TCP connection. You supply callbacks for the data. The data is returned as the ACK-packets are seen for it.

As the TCP-reordering is cooked out by me, it likely has bugs, but I have used this module for sniffing some out-of-order TCP connection.

$conn->init_from_packet TCP

Initializes the connection data from a packet.

$conn->handle_packet TCP [, TIMESTAMP]

Handles a packet and updates the status according to the packet.

The optional TIMESTAMP parameter allows you to attach a timestamp (in seconds since the epoch) to the packet if you have a capture file with timestamps. It defaults to the value of time.


Returns the timestamp in epoch seconds of the last activity of the socket. This can be convenient to determine if a connection has gone stale.

This timestamp should be fed in via handle_packet if it is available. Capturing via Sniffer::HTTP::run and Sniffer::HTTP::run_file supplies the correct Net::Pcap timestamps and thus will reproduce all sessions faithfully.

update_activity [TIMESTAMP]

Updates last_activity and supplies a default timestamp of time.


  • Implement a (configurable?) timeout (of say 5 minutes) after which connections get auto-closed to reduce resource usage.

  • Data can only be forwarded after there has been the ACK packet for it!


The whole module suite has almost no tests.

If you experience problems, please supply me with a complete, relevant packet dump as the included creates. Even better, supply me with (failing) tests.


Max Maischein (


Copyright (C) 2005-2021 Max Maischein. All Rights Reserved.

This code is free software; you can redistribute it and/or modify it under the same terms as Perl itself.