Net::Packet::Dump - a tcpdump-like object providing frame capturing


   use Net::Packet::Dump;

   # Example live capture (sniffer like)

   # Instanciate object, will start capturing from network
   my $dump = Net::Packet::Dump->new(
      filter  => 'tcp',
      noStore => 1,

   while (1) {
      if (my $frame = $dump->next) {
         print $frame->l2->print, "\n" if $frame->l2;
         print $frame->l3->print, "\n" if $frame->l3;
         print $frame->l4->print, "\n" if $frame->l4;
         print $frame->l7->print, "\n" if $frame->l7;

   # Example offline analysis

   my $dump2 = Net::Packet::Dump->new(
      unlinkOnDestroy => 0,
      file            => 'existant-file.pcap',
      callStart       => 0,

   # Analyze the .pcap file, build an array of Net::Packet::Frame's

   # Browses captured frames
   for ($dump->frames) {
      # Do what you want
      print $_->l2->print, "\n" if $_->l2;
      print $_->l3->print, "\n" if $_->l3;
      print $_->l4->print, "\n" if $_->l4;
      print $_->l7->print, "\n" if $_->l7;


This module is the capturing part of Net::Packet framework. It is basically a tcpdump process. When a capture starts, the tcpdump process is forked, and saves all traffic to a .pcap file. The parent process can call next, nextAll or analyze to convert captured frames from .pcap file to Net::Packet::Frames.

Then, you can call recv method on your sent frames to see if a corresponding reply is waiting in the frames array attribute of Net::Packet::Dump.

By default, if you use this module to analyze frames you've sent (very likely ;)), and you've sent those frames at layer 4 (using Net::Packet::DescL4) (for example), lower layers will be wiped on storing in frames array. This behaviour can be disabled using noLayerWipe attribute.



Stores a Net::Packet::Env object. It is used in start method, for example. The default is to use the global $Env object created when using Net::Packet.


Where to save captured frames. By default, a random name file is chosen, named like `netpacket-tmp-$$.@{[getRandom32bitsInt()]}.pcap'.


A pcap filter to restrain what to capture. It also works in offline mode, to analyze only what you want, and not all traffic. Default to capture all traffic. WARNING: every time a packet passes this filter, and the next method is called, the internal counter used by b<timeoutOnNext> is reset. So the timeout attribute can only be used if you now exactly that the filter will only catch what you want and not perturbating traffic.


If the file exists, setting this to 1 will overwrite it. Default to not overwrite it.


When the stop method is called, you should wait a few seconds before stopping the capture. The default is to wait for 3 seconds.


Is auto set to 1 when a timeout has occured. It is not set to 0 automatically, you need to do it yourself.


Each time next method is called, an internal counter is incremented if no frame has been capture. When a frame is captured (that is, a frame passed the pcap filter), the timeout attribute is reset to 0. When the counter reaches the value of timeoutOnNext, the timeout attribute is set to 1, meaning no frames have been captured during the specified amount of time. Default to 3 seconds.


This one stores the latest received frame after a call to next method. If a next call is done, and no frame is received, this attribute is set to undef.


When set to 1, the capturing process starts right after new method has finished executing. When set to 0, you must call start method to start capturing. Default to 1.


When the capturing process is running, this is set to 1. So, when start method has been called, it is set to 1, and when stop method is called, set to 0.


When the Net::Packet::Dump object goes out of scope, the DESTROY method is called, and if this attribute is set to 1, the file is removed. BEWARE: default to 1.


If you set this attribute to 1, frames will not be stored in frames array. It is used in sniffer-like programs, in order to avoid memory exhaustion by keeping all captured Net::Packet::Frame into memory. Default is to store frames.


As explained in DESCRIPTION, if you send packets at layer 4, layer 2 and 3 are not keeped when stored in frames. The same is true when sending at layer 3 (layer 2 is not kept). Default to wipe those layers. WARNING: if you set it to 1, and you need the recv method from Net::Packet::Frame, it will fail. In fact, this is a speed improvements, that is in order to find matching frame for your request, they are stored in a hash, using layer as keys (getKey and getKeyReverse are used to get keys from each layer. So, if you do not wipe layers, a key will be used to store the frame, but another will be used to search for it, and no match will be found. This is a current limitation I'm working on to remove.


By default, when a Net::Packet::Dump object is created, the default $Env object has its dump attribute pointing to it. If you do not want this behaviour, you can disable it by setting it to 1. Default to 0.


Stores all analyzed frames found in a pcap file in this array.


Stores all analyzed frames found in a pcap file in this hash, using keys to store and search related packet request/replies.



Object contructor. Default values for attributes:

env: $Env

file: "netpacket-tmp-$$.@{[getRandom32bitsInt()]}.pcap"

filter: ""

overwrite: 0

waitOnStop: 3

timeout: 0

timeoutOnNext: 3

callStart: 1

isRunning: 0

unlinkOnDestroy: 1

noStore: 0

noLayerWipe: 0

noEnvSet: 0


Forks the tcpdump-like process that do frame capturing saved to a file. It does not forks a new process if the specified file attribute exists, and overwrite attributes is set to 0. It also sets isRunning to 1 if a process is forked.


Tries to get packet statistics on an open descriptor. It returns a reference to a hash that has to following fields: ps_recv, ps_drop, ps_ifdrop.


Kills the tcpdump-like process, and sets isRunning to 0. It first waits waitOnStop seconds before killing it.


Will removed all analyzed frames from frames array and framesSorted hash. Use it with caution, because recv from Net::Packet::Frame relies on those.


Returns the next captured frames; undef if none found in .pcap file. In all cases, nextFrame attribute is set (either to the captured frame or undef). Each time this method is run, a comparison is done to see if no frame has been captured during timeoutOnNext amount of seconds. If so, timeout attribute is set to 1 to reflect the pending timeout. When a frame is received, it is stored in frames array, and in framesSorted hash, used to quickly recv it (see Net::Packet::Frame), and internal counter for time elapsed since last received packet is reset.


Calls next method until it returns undef (meaning no new frame waiting to be analyzed from pcap file).

framesFor (scalar)

You pass a Net::Packet::Frame has parameter, and it returns an array of all frames relating to the connection. For example, when you send a TCP SYN packet, this method will return TCP packets relating to the used source/destination IP, source/destination port, and also related ICMP packets.


Patrice <GomoR> Auffret


Copyright (c) 2004-2006, Patrice <GomoR> Auffret

You may distribute this module under the terms of the Artistic license. See LICENSE.Artistic file in the source distribution archive.


NetPacket, Net::RawIP, Net::RawSock