这次的主要目标是展示如何解析所捕获的数据饭协议首部,这里选择分析UDP协议而不是其它协议,是因为它比其它的协议更简单。
/*
* Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy)
* Copyright (c) 2005 - 2006 CACE Technologies, Davis (California)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the Politecnico di Torino, CACE Technologies
* nor the names of its contributors may be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include<iostream>
#include<pcap.h>
// 4字节的IP地址
struct ip_address{
u_char byte1;
u_char byte2;
u_char byte3;
u_char byte4;
};
//ipv4首部
struct ip_header{
u_char ver_ihl; // 版本(4 bits)+首部长度(4 bits)
u_char tos; // 服务类型(Type of service)
u_short tlen; // 总长
u_short identification; // 标识
u_short flags_fo; // 标志位(3 bits)+段偏移(13 bits)
u_char ttl; // 存活时间
u_char proto; // 协议
u_short crc; // 首部校验和
ip_address saddr; // 源地址
ip_address daddr; // 目的地址
u_int op_pad; // 选项与填充
};
// UDP首部
struct udp_header{
u_short sport; // 源端口
u_short dport; // 目的端口
u_short len; // UDP数据包长度
u_short crc; //校验和
};
/* 回调函数原型 */
void packet_handler(u_char *param, const pcap_pkthdr *header, const u_char *pkt_data);
int main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
char errbuf[PCAP_ERRBUF_SIZE];
//获取设备列表
if(pcap_findalldevs_ex(PCAP_SRC_IF_STRING,NULL,&alldevs,errbuf)==-1)
{
fprintf(stderr,"Error in pcap_findalldevs:%s\n",errbuf);
exit(1);
}
//打印列表
int i = 0;
for(d=alldevs;d;d=d->next)
{
printf("%d. %s",++i,d->name);
if(d->description)
printf("(%s)\n",d->name);
else
printf("(No descriptioin available)\n");
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed. \n");
return -1;
}
printf("Enter the interface number (1-%d):",i);
int inum;
scanf("%d",&inum);
if(inum<1||inum>i)
{
printf("\nInterface number out of range.\n");
pcap_freealldevs(alldevs);
return -1;
}
//跳转到已选设备
for(d=alldevs,i=0;i<inum-1;d=d->next,i++)
;
//打开适配器
pcap_t *adhandle;
if((adhandle=pcap_open(d->name,65536,PCAP_OPENFLAG_PROMISCUOUS,1000,NULL,errbuf))==NULL)
{
fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n",errbuf);
pcap_freealldevs(alldevs);
return -1;
}
//检查数据链路层,为了简单,只考虑以太网
if(pcap_datalink(adhandle)!=DLT_EN10MB)
{
fprintf(stderr,"\nThis program workds only on Ethernet networks. \n");
pcap_freealldevs(alldevs);
return -1;
}
u_int netmask;
if(d->addresses != NULL)
netmask = ((sockaddr_in*)(d->addresses->netmask))->sin_addr.S_un.S_addr;
else
netmask = 0xffffff;
char packet_filter[] = "ip and udp";
bpf_program fcode;
//编译过滤器
if(pcap_compile(adhandle,&fcode,packet_filter,1,netmask))
{
fprintf(stderr,"\nUnable to compile the packet filter. Check the syntax. \n");
pcap_freealldevs(alldevs);
return -1;
}
//设置过滤器
if(pcap_setfilter(adhandle,&fcode)<0)
{
fprintf(stderr,"\nError setting the filter.\n");
pcap_freealldevs(alldevs);
return -1;
}
printf("\nlistening on %s...\n",d->description);
pcap_freealldevs(alldevs);
pcap_loop(adhandle,0,packet_handler,NULL);
return 0;
}
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
tm *ltime;
char timestr[16];
ip_header *ih;
udp_header *uh;
u_int ip_len;
u_short sport,dport;
time_t local_tv_sec;
//将时间戳转换为可识别的格式
local_tv_sec = header->ts.tv_sec;
ltime = localtime(&local_tv_sec);
strftime(timestr,sizeof timestr,"%H:%M:%S",ltime);
//打印数据包的时间戳和长度
printf("%s.%.6d len:%d",timestr,header->ts.tv_usec,header->len);
//获取IP数据据包头部的位置
ih = (ip_header*) (pkt_data+14);//以太网头部长度
//获取UDP首部位置
ip_len = (ih->ver_ihl&0xf)*4;
uh = (udp_header*)((u_char*)ih+ip_len);
//将网络字节序列转换成主机字节序列
sport = ntohs(uh->sport);
dport = ntohs(uh->dport);
//打印IP地址和UDP端口
printf("%d.%d.%d.%d.%d -> %d.%d.%d.%d.%d\n",
ih->saddr.byte1,ih->saddr.byte2,ih->saddr.byte3,ih->saddr.byte4,sport,
ih->daddr.byte1,ih->daddr.byte2,ih->daddr.byte3,ih->daddr.byte4,dport);
}
首先,将过滤器设置成“ip and udp”。在这种方式下,我们确信packet_handler()只会收到基于IPv4的UDP数据包,这将简化解析过程,提高程序的效率。
packet_handler(),尽管只受限于单个协议的解析(比如基于IPV4的UDP),不过它展示了捕捉器(sniffers)是多么的复杂,就像TcpDump和WinDump对网络数据流进行解码那样。在开始捕捉前,使用了pcap_datalink()对MAC层进行检测,以确保我们是在处理一个以太网络。
最后欢迎大家访问我的个人网站: 1024s