#!/usr/bin/perl -w
# quick dirty msn sniffer
#
# $Id: msndump.pl,v 1.4 2004/11/18 11:52:41 meh Exp $
# you need Net::Pcap and Net::Packet
# use cpan or get manually
#
#
my $filter = 'tcp and port 1863';
# no modify below
use Getopt::Std;
use Net::Pcap;
use NetPacket::IP qw (:strip);
use NetPacket::Ethernet qw (:strip);
use NetPacket::TCP;
use Fcntl;
$|=1;
my $flags |= O_NONBLOCK;
my %opts;
getopt("wicr",\%opts);
if ( (!($opts{i})) && (!($opts{r})) ) {
print "[ msndump - miscname.com ]\n Usage:\n\t-i rl0 || -r file.pcap\n\t-c X - capture X packets\n\t-w freshIMz.txt\n\t-v show all msn IM data\n\n";
exit;
}
if ((!$opts{r}) && ($> != '0')) {
die ("you need uid 0\n");
}
# trap sigs
$SIG{INT} = $SIG{TERM} = $SIG{HUP} = \&exitd;
# create pcap
my $pcap = &cap_pkt;
if (!($pcap)) {
die ("cant capture\n");
}
# open fh if -w set
if ($opts{w}) {
open (FILEOUT,">$opts{w}") || die ("cant open $opts{w} ($!)\n");
fcntl(FILEOUT, F_SETFL, $flags) or die ("couldn't set nonblock for $opts{w} ($!)\n");
}
# main capture
if (($opts{c}) && ($opts{c} =~ /(\d+)/)) {
print "stopping after $1 packets\n";
Net::Pcap::loop($pcap, $1, \&proc_pkt, 0);
&exitd;
} else {
Net::Pcap::loop($pcap, -1, \&proc_pkt, 0);
my %stats;
Net::Pcap::stats($pcap, \%stats);
unless ($opts{r}) {
print "saw $stats{ps_recv} packets, dropped $stats{ps_drop}\n";
}
}
# sub procs
sub exitd {
# free
Net::Pcap::close($pcap);
# close fh
if ($opts{w}) {
print "wrote $opts{w}.\n";
close FILEOUT;
}
}
sub cap_pkt {
my ($pcap,$dev,$err,$mask,$net,$filter2);
my $snaplen = 4096; # seen some big im's :(
my $promisc = 1; # promisc of course
my $timeout = 0; # timeout
# file.pcap?
if ($opts{r}) {
# open offline
$pcap = Net::Pcap::open_offline($opts{r}, \$err);
if (!($pcap)) {
die("error opening $opts{r} ($err)\n");
} else {
print "reading from '$opts{r}'\n";
}
} else {
# set dev from cmdline
$dev = $opts{i};
# get netmask for filter
if ((Net::Pcap::lookupnet($dev, \$net, \$mask, \$err)) == -1 ) {
die ("Net::Pcap::lookupnet failed ($err) for device '$dev'\n");
}
# open it
$pcap = Net::Pcap::open_live($dev, $snaplen, $promisc, $timeout, \$err);
if (!($pcap)) {
die ("can't create packet fd ($err) on device '$dev'\n");
} else {
print "dumping on '$dev'\n";
}
}
# sanity check
if (!($pcap)) {
die ("sanity check failed - \$pcap null\n");
} elsif (!($mask)) {
$mask = '0'; # for open_offline
}
# make filter struct
if (Net::Pcap::compile($pcap, \$filter2, $filter, 1, $mask) != '0') {
die ("broken filter ($filter)\n");
}
# apply
Net::Pcap::setfilter($pcap, $filter2);
return $pcap;
}
sub proc_pkt {
my($user_data, $hdr, $pkt) = @_;
my ($user,$msg);
# get tcp section only from packet
my $tcp_obj = NetPacket::TCP->decode(ip_strip(eth_strip($pkt))); # stripping ip header makes =~ faster
# verbose shows all traf
if ($opts{v}) {
if (!($opts{w})) {
print "$tcp_obj->{data}\n";
} else {
print FILEOUT "$tcp_obj->{data}\n";
}
} elsif (($tcp_obj->{data} !~ /MSG/m) || ($tcp_obj->{data} =~ /P2P-Dest:/m)) {
# skip if its a message (or a p2p file transfer)
# if your reading this, include 'P2P-Dest:' in your message body to avoid sniffer ;)
;
} else {
# extract goodies
if ( $tcp_obj->{data} =~ /MSG (.*)\s|TypingUser: (.*)\s|P4-Context: (.*)\s/ ) {
$user = $1;
}
if ($tcp_obj->{data} =~ /X-MMS-IM-Format:\s\S*\s\S*\s\S*\s\S*\s\S*\s*(.*)/m) {
$msg = $1;
}
# display if we have both
if (($user) && ($msg)) {
if (!($opts{w})) {
print "\n----------------------------------------------------\n";
print "TIME: " . localtime($hdr->{tv_sec}) . "\n";
print "TO/FROM: $user\nMESSAGE:\n$msg\n";
} else {
print FILEOUT "\n----------------------------------------------------\n";
print FILEOUT "TIME: " . localtime($hdr->{tv_sec}) . "\n";
print FILEOUT "TO/FROM: $user\nMESSAGE: \n$msg\n\n";
}
}
}
}
#e0f
阅读(1037) | 评论(1) | 转发(0) |
