不容易阿，终于到这个函数了write_packet

write_packet: if(ap_cur != NULL) { if( h80211[0] == 0x80 && G.one_beacon){ if( !ap_cur->beacon_logged ) ap_cur->beacon_logged = 1; else return ( 0 ); } } if(G.record_data) { if( ( (h80211[0] & 0x0C) == 0x00 ) && ( (h80211[0] & 0xF0) == 0xB0 ) ) { /* authentication packet */ check_shared_key(h80211, caplen); } } if(ap_cur != NULL) { if(ap_cur->security != 0 && G.f_encrypt != 0 && ((ap_cur->security & G.f_encrypt) == 0)) { return(1); } } /* this changes the local ap_cur, st_cur and na_cur variables and should be the last check befor the actual write */ if(caplen < 24 && caplen >= 10 && h80211[0]) { /* RTS || CTS || ACK || CF-END || CF-END&CF-ACK*/ //(h80211[0] == 0xB4 || h80211[0] == 0xC4 || h80211[0] == 0xD4 || h80211[0] == 0xE4 || h80211[0] == 0xF4) /* use general control frame detection, as the structure is always the same: mac(s) starting at [4] */ if(h80211[0] & 0x04) { p=h80211+4; while(p <= h80211+16 && p<=h80211+caplen) { memcpy(namac, p, 6); if(memcmp(namac, NULL_MAC, 6) == 0) { p+=6; continue; } if(memcmp(namac, BROADCAST, 6) == 0) { p+=6; continue; } if(G.hide_known) { /* check AP list */ ap_cur = G.ap_1st; ap_prv = NULL; while( ap_cur != NULL ) { if( ! memcmp( ap_cur->bssid, namac, 6 ) ) break; ap_prv = ap_cur; ap_cur = ap_cur->next; } /* if it's an AP, try next mac */ if( ap_cur != NULL ) { p+=6; continue; } /* check ST list */ st_cur = G.st_1st; st_prv = NULL; while( st_cur != NULL ) { if( ! memcmp( st_cur->stmac, namac, 6 ) ) break; st_prv = st_cur; st_cur = st_cur->next; } /* if it's a client, try next mac */ if( st_cur != NULL ) { p+=6; continue; } } /* not found in either AP list or ST list, look through NA list */ na_cur = G.na_1st; na_prv = NULL; while( na_cur != NULL ) { if( ! memcmp( na_cur->namac, namac, 6 ) ) break; na_prv = na_cur; na_cur = na_cur->next; } /* update our chained list of unknown stations */ /* if it's a new mac, add it */ if( na_cur == NULL ) { if( ! ( na_cur = (struct NA_info *) malloc( sizeof( struct NA_info ) ) ) ) { perror( "malloc failed" ); return( 1 ); } memset( na_cur, 0, sizeof( struct NA_info ) ); if( G.na_1st == NULL ) G.na_1st = na_cur; else na_prv->next = na_cur; memcpy( na_cur->namac, namac, 6 ); na_cur->prev = na_prv; gettimeofday(&(na_cur->tv), NULL); na_cur->tinit = time( NULL ); na_cur->tlast = time( NULL ); na_cur->power = -1; na_cur->channel = -1; na_cur->ack = 0; na_cur->ack_old = 0; na_cur->ackps = 0; na_cur->cts = 0; na_cur->rts_r = 0; na_cur->rts_t = 0; } /* update the last time seen & power*/ na_cur->tlast = time( NULL ); na_cur->power = ri->ri_power; na_cur->channel = ri->ri_channel; switch(h80211[0] & 0xF0) { case 0xB0: if(p == h80211+4) na_cur->rts_r++; if(p == h80211+10) na_cur->rts_t++; break; case 0xC0: na_cur->cts++; break; case 0xD0: na_cur->ack++; break; default: na_cur->other++; break; } /*grab next mac (for rts frames)*/ p+=6; } } } if( G.f_cap != NULL && caplen >= 10) { pkh.caplen = pkh.len = caplen; gettimeofday( &tv, NULL ); pkh.tv_sec = tv.tv_sec; pkh.tv_usec = ( tv.tv_usec & ~0x1ff ) + ri->ri_power + 64; n = sizeof( pkh ); if( fwrite( &pkh, 1, n, G.f_cap ) != (size_t) n ) { perror( "fwrite(packet header) failed" ); return( 1 ); } fflush( stdout ); n = pkh.caplen; if( fwrite( h80211, 1, n, G.f_cap ) != (size_t) n ) { perror( "fwrite(packet data) failed" ); return( 1 ); } fflush( stdout ); } return( 0 ); } 跟了好久，最想知道的是它用哪个函数抓包的，是不是直接建立raw socket，不过到这里还是没跟出来，不过这个也挺有用的，看这个结构， fwrite( h80211, 1, n, G.f_cap ) != (size_t) n 表明最后写进去的是h80211这个字符串，继续看：unsigned char *h80211;在main中这么定义的。然后看这里 wi_read(wi[i], h80211, sizeof(buffer), &ri) 继续找这个函数，竟然没有，鬼知道它在哪儿定义的。看下这个ri是什么东西。是这个结构的指针rx_info，也不知道在哪儿，应该是在哪个头文件里吧，以后解决。