Net::Inspect::L4::TCP - get IP data, extracts TCP connections
my $tcp = Net::Inspect::L4::TCP->new; my $raw = Net::Inspect::L3::IP->new($tcp); $tcp->pktin($data,\%meta);
Gets IP packets via pktin method and handles connections.
pktin
Provides the hooks required by Net::Inspect::L3::IP.
Net::Inspect::L3::IP
Hooks provided:
Hooks called on the attached flow object:
called when the first SYN is received. Meta data are saddr, sport, daddr, dport and time. If returns false the connection will not be setup, but in this case it will be called on the seconds SYN too (because it does not keep track of ignored connections).
will be called if the final ACK for the 3-way handshake is received. Must return a connection object or the connection will be ignored. Same meta data as in syn.
syn
The connection object will be stored in the flow as long as the connection is open. The next hooks will be called on the connection object instead of the object attached to the flow.
Methods called on the connection object:
Will be called when new data arrived and got acked. $dir is the direction of the data (e.g. 0 for data from client, 1 from server). If $eof is 1 only this direction got closed, on 2 both sides got closed. Otherwise $eof is false.
$dir
$eof
Must return the number of bytes processed from $data. The rest of the data will be kept inside the flow object and if new data come in (or FIN gets ACKed) the hook will be called again with all unprocessed data.
$data
If $eof is true it should better process all data, because the hook will not be called again for this direction.
$time is the time, when the data arrived. If the data arrived at different times (like after reordering) the earliest time gets used.
$time
Will be called on fatal errors of the connection, e.g. lost packets.
Methods useful for overwriting
default implementation will just call syn from the attached flow object
default implementation will just call new_connection from the attached flow object
new_connection
It will not croak on strange flag combinations.
You should regularly call expire otherwise connection missing final handshake will not be expired.
expire
To install Net::Inspect, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Net::Inspect
CPAN shell
perl -MCPAN -e shell install Net::Inspect
For more information on module installation, please visit the detailed CPAN module installation guide.