快捷搜索:  as  2018  FtCWSyGV  С˵  test  xxx  Ψһ  w3viyKQx

澳门新葡亰集团官网:利用libpcap分析网络上的数据包(入门级)



颠末几天的突击,终于明白了如何在局域网内抓包,这可是我多年来的贪图。首先说说我的进修历程,一开始从网上搜索了关于sniffer大年夜量资料,大年夜致学会

了,可是仔细阐发结果发明,都是本机上的数据包,而不是全部局域网的。于是又查资料,在

linuxsir上有高人辅导,说,现在局域网内都是互换机联接,而不是曩昔的Hub以是,假如要抓全部局域网的数据包,必须用libpcap,于是又查

了许多关于Libpcap的资料,颠末一天的努力,总算轻细有点眉目了。总结手里的资料,它们都在讲如何用libpcap抓包,而没有讲如何去阐发包,所

以鄙人就写了一个小小的例子,去阐发数据包里的详细信息,假如有不精确的地方,敬请斧正。

关于libpcap的应用措施,请参考我网络的的资料

http://blog.csdn.net/bat603/archive/2006/09/04/1175729.aspx

http://blog.csdn.net/bat603/archive/2006/09/04/1176251.aspx

下边这个对照深奥

http://blog.csdn.net/bat603/archive/2006/09/04/1175271.aspx

源代码及解释

/奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫**

奸淫奸淫奸淫奸淫奸淫奸淫**rainfish奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫奸淫*

奸淫奸淫奸淫奸淫奸淫http://blog.csdn.net/bat603/奸淫奸淫奸淫奸淫奸淫奸淫奸淫*

奸淫奸淫奸淫*本文可随意率性转载,但请保留作者及出处奸淫奸淫奸淫奸淫奸淫**/

//该法度榜样应用措施:./exe_your_filenumpacket

#include

#include

/* if this gives you an error try pcap/pcap.h 里面有响应的数据布局一样平常在/usr/include/中*/

#include

#include

#include

#include

#include

#include

#include

#include //留意应用的ip、tcp数据布局,至于它们和 的差别,我也弄不清楚。

/*回调函数,int pcap_loop(pcap_t *p, int cnt,

pcap_handler callback, u_char *user)调用的

这里必要阐明的是,关于参数 pkthdr、packet的阐明,很多多少资料都没有进行解释,在这里我只能考试测验的去解释

当履行pcap_loop,会自动调用回调函数,pcap_t *p是调用者通报的,参看下面例子,而pkthdr(libpcap 自定义数据包头部),packet(捕获的书据包)就会响应获得,而不用用户操作。下面的例子也能证实这一点。我其实不敢确定,由于没有找到响应的文档

*/

void my_callback(u_char *userless, const struct pcap_pkthdr *pkthdr,

const u_char *packet)

{

struct in_addr addr;

struct iphdr *ipptr;

struct tcphdr *tcpptr;//太次片,,ip,tcp数据布局

char *data;

pcap_t *descr = (pcap_t*)userless;//捕获收集数据包的数据包捕获描述字

//const u_char *packet;

struct pcap_pkthdr hdr = *pkthdr;//(libpcap 自定义数据包头部),

struct ether_header *eptr;//以太网字头

u_char *ptr;

int i;

if (packet == NULL)//packet里面有内容,可以证实上面的猜想,

{

printf ("Didn't grab packet!\n");

exit (1);

}

printf ("\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n");

printf ("Grabbed packet of length %d\n", hdr.len);

printf ("Received at : %s\n", ctime((const time_t*)&hdr.ts.tv_sec));

printf ("Ethernet address length is %d\n", ETHER_HDR_LEN);

eptr = (struct ether_header*)packet;//获得以太网字头

if (ntohs(eptr->ether_type) == ETHERTYPE_IP)

{

printf ("Ethernet type hex:%x dec:%d is an IP packet\n",

ntohs(eptr->ether_type), ntohs(eptr->ether_type));澳门新葡亰集团官网

}

else

{

if (ntohs(eptr->ether_type) == ETHERTYPE_ARP)

{

printf ("Ethernet type hex:%x dec:%d is an ARP packet\n",

ntohs(eptr->ether_type), ntohs(eptr->ether_type));

}

else

{

printf ("Ethernet type %x not IP\n", ntohs(eptr->ether_type澳门新葡亰集团官网));

exit (1);

}

}

ptr = eptr->ether_dhost;

i = ETHER_ADDR_LEN;

printf ("i=%d\n", i);

printf ("Destination Address: ");

do

{

printf ("%s%x", (i == ETHER_ADDR_LEN)?"":":", *ptr++);

}while(--i>0);

printf ("\n");

//printf ("%x\n",ptr);

ptr = eptr->ether_shost;

i = ETHER_ADDR_LEN;

printf ("Source Address: ");

do

{

printf ("%s%x", (i == ETHER_ADDR_LEN)?"":":", *ptr++);

}while(--i>0);

printf ("\n");

printf ("Now decoding the IP packet.\n");

ipptr = (struct iphdr*)(packet+sizeof(struct ether_header));//获得ip包头

printf ("the IP packets total_length is :%d\n", ipptr->tot_len);

printf ("the IP protocol is %d\n", ipptr->protocol);

addr.s_addr = ipptr->daddr;

printf ("Destination IP: %s\n", inet_ntoa(addr));

addr.s_addr = ipptr->saddr;

printf ("Source IP: %s\n", inet_ntoa(addr));

printf ("Now decoding the TCP packet.\n");

tcpptr = (struct iphdr*)(packet+sizeof(struct e澳门新葡亰集团官网ther_header)+sizeof(struct iphdr));//获得tcp包头

printf ("Destination port : %d\n", tcpptr->dest);

printf ("Source port : %d\n", tcpptr->source);

printf ("the seq of packet is %d\n", tcpptr->seq);

//以上关于ip、tcp的布局信息请查询/usr/include/linux/ip.h | tcp.h

data = (char*)(packet+sizeof(struct ether_header)+sizeof(struct iphdr)+sizeof澳门新葡亰集团官网(struct tcphdr));//获得数据包里内容,不过一样平常为乱码。

printf ("the content of packets is \n%s\n",data);

}

int main(int argc, char **argv)

{

int i;

char *dev;

char errbuf[PCAP_ERRBUF_SIZE];

pcap_t *descr;

const u_char *packet;

struct pcap_pkthdr hdr;

struct ether_header *eptr;

if (argc != 2)

{

fprintf (stdout, "Usage: %s numpackets\n", argv[0]);

return 0;

}

dev = pcap_lookupdev (errbuf);

if (dev == NUL澳门新葡亰集团官网L)

{

printf ("%s\n", errbuf);

exit (1);

}

descr = pcap_open_live (dev, BUFSIZ, 1, -1, errbuf);

//第三个参数,1为稠浊模式;0为非稠浊模式

//BUFSIZ同PCAP_ERRBUF_SIZE一样,均为库文件已经定义好的,不保举应用

if (descr == NULL)

{

printf ("pcap_open_live(): %s\n", errbuf);

exit (1);

}

pcap_loop (descr, atoi(argv[1]), my_callback, NULL);//调用回调函数

printf("Hello world\n");

return (0);

}

关于过滤机制,今后再写

您可能还会对下面的文章感兴趣: