这学期上了入侵检测实验,因为一开始就打算做这个包分析系统,结果拖延症再发,现在开始一边学php一边做入侵检测(为了保证进度,我会不定期更新文章督促自己)。
我做的这个程序主要是仿snort这个入侵检测系统,这学期开始,我在老师的帮助下看了一些资料,主要是包含了学长用C#做的毕业设计以及两本书《Snort2.0 入侵检测》以及《Snort轻量级入侵检测系统全攻略》。(这两本资料都比较老了,对于学习还是很有用的)
Winpcap、各种协议不多介绍,但是做这个之前一定要看看数据包的结构。
1.数据包的结构
ip
udp
tcp
仿照数据包结构建立相应的类,以及分析Jpcap数据包类
打开Jpcap api-IPPacket class
分析IPPacket类方法(IP数据包格式)
getVersion-获得IP版本号
public int getVersion()
Get the IP version code.
getIPHeaderLength-获得Ip头部的字节大小
public int getIPHeaderLength()
Fetch the IP header length in bytes.
getHeaderLength-获得Ip头部的长度
public int getHeaderLength()
Fetch the packet IP header length.
Overrides:
getHeaderLength in class EthernetPacket
getLength-获得IP报文的长度
public int getLength()
Fetch the IP length in bytes.
getId-获取数据包的id
public int getId()
Fetch the unique ID of this IP datagram. The ID normally increments by one each time a datagram is sent by a host.
getFragmentFlags-获取分片标识
public int getFragmentFlags()
Fetch fragmentation flags.
getFragmentOffset-获取分片偏移量
public int getFragmentOffset()
Fetch fragmentation offset.
getTimeToLive
public int getTimeToLive()-获取存活时间
Fetch the time to live. TTL sets the upper limit on the number of routers through which this IP datagram is allowed to pass.
getIPProtocol
public int getIPProtocol()-获取ip协议类型
Fetch the code indicating the type of protocol embedded in the IP datagram. @see IPProtocols.
getProtocol
public int getProtocol()-获取数据包协议
Fetch the code indicating the type of protocol embedded in the IP datagram. @see IPProtocols.
Overrides:
getProtocol in class EthernetPacket
getIPChecksum-获取Ip校验和
public int getIPChecksum()
Fetch the header checksum.
getChecksum-获取头部校验和
public int getChecksum()
Fetch the header checksum.
getSourceAddress-获取源地址
public java.lang.String getSourceAddress()
Fetch the IP address of the host where the packet originated from.
getSourceAddressBytes-获取源地址(字节数组形式)
public byte[] getSourceAddressBytes()
Fetc