//TCP解包程序
int DecodeTcpPack(char * TcpBuf, int iBufSize)
{
TCP_HEADER * pTcpHeader;
int i;
int iSourcePort,iDestPort;
DWORD dwWriten = 0;
char chInfo[100];
memset(chInfo, 0, 100);
pTcpHeader = (TCP_HEADER * )TcpBuf;
//计算TCP首部长度
int TcpHeaderLen = pTcpHeader->th_lenres>>4;
TcpHeaderLen *= sizeof(unsigned long);
char * TcpData=TcpBuf+TcpHeaderLen;
//如果过滤敏感字符串则判断是否包含
if (strSensitive)
if ((strstr(TcpData, strSensitive))==NULL) return true;
//对端口进行过滤
iSourcePort = ntohs(pTcpHeader->th_sport);
iDestPort = ntohs(pTcpHeader->th_dport);
if ((iPortFilter) && (iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter))
return true;
//输出
printf("%s ", szProtocol);
printf("%15s:%5d ->%15s:%5d ", szSourceIP, iSourcePort, szDestIP, iDestPort);
printf("TTL=%3d ", iTTL);
sprintf(chInfo, "/r/n%s %15s:%5d ->%15s:%5d TTL=%3d ", szProtocol, szSourceIP, iSourcePort, szDestIP, iDestPort, iTTL);
//判断TCP标志位
unsigned char FlagMask = 1;
for( i=0; i<6; i++ )
{
if((pTcpHeader->th_flag) & FlagMask)
{
printf("%c",TcpFlag[i]);
strncat(chInfo, &TcpFlag[i], 1);
}
else
{
printf("-");
strcat(chInfo, "-");
}
FlagMask=FlagMask<<1;
}
printf(" bytes=%4d", iBufSize);
char temp[12];
sprintf(temp, " bytes=%4d", iBufSize);
strcat(chInfo, temp);
::WriteFile(hFile, chInfo, strlen(chInfo), &dwWriten, NULL);
::WriteFile(hParse, chInfo, strlen(chInfo), &dwWriten, NULL);
printf("/n");
//对于长度大于40字节的包进行数据分析(IP_HEADER+TCP_HEADER=40)
if ((ParamDecode) && (iBufSize>40))
{
//分析TCP数据段
if ((!strSensitive) || (strstr(TcpData,strSensitive)))
{
printf(" [DATA]/n");
::WriteFile(hFile, "/r/n[DATA]/r/n", sizeof("/r/n[DATA]/r/n"), &dwWriten, NULL);
::WriteFile(hParse, "/r/n[DATA]/r/n", sizeof("/r/n[DATA]/r/n"), &dwWriten, NULL);
printf("%s",TcpData);
::WriteFile(hFile, TcpData, strlen(TcpData), &dwWriten, NULL);
::WriteFile(hParse, TcpData, strlen(TcpData), &dwWriten, NULL);
printf("/n [DATA END]/n/n/n");
::WriteFile(hFile, "/r/n[DATA END]/r/n/r/n", sizeof("/r/n[DATA END]/r/n/r/n"), &dwWriten, NULL);
::WriteFile(hParse, "[DATA END]/r/n", sizeof("[DATA END]/r/n"), &dwWriten, NULL);
}
}
return true;
}
//UDP解包程序
int DecodeUdpPack(char * UdpBuf, int iBufSize)
{
DWORD dwWriten = 0;
char chInfo[100];
memset(chInfo, 0, 100);
UDP_HEADER *pUdpHeader;
pUdpHeader = (UDP_HEADER * )UdpBuf;
int iSourcePort = ntohs(pUdpHeader->uh_sport);
int iDestPort = ntohs(pUdpHeader->uh_dport);
//对端口进行过滤
if(iPortFilter)
if ((iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter))
return true;
sprintf(chInfo, "/r/n%s %15s:%5d ->%15s:%5d TTL=%3d Len=%4d bytes=%4d", szProtocol, szSourceIP, iSourcePort, szDestIP, iDestPort, iTTL, ntohs(pUdpHeader->uh_len), iBufSize);
printf("/n");
printf("%s ", szProtocol);
printf("%15s:%5d ->%15s:%5d ", szSourceIP, iSourcePort, szDestIP, iDestPort);
printf("TTL=%3d ", iTTL);
printf("Len=%4d ", ntohs(pUdpHeader->uh_len));
printf("bytes=%4d", iBufSize);
::WriteFile(hFile, chInfo, strlen(szProtocol) + sizeof("/r/n : ->: TTL= Len= bytes=") + 51, &dwWriten, NULL);
::WriteFile(hParse, chInfo, strlen(szProtocol) + sizeof("/r/n : ->: TTL= Len= bytes=") + 51, &dwWriten, NULL);
//对于长度大于28字节的包进行数据分析(IP_HEADER+UDP_HEADER>28)
if ((ParamDecode) && (iBufSize>28))
{
printf("/n[DATA]/n");
::WriteFile(hFile, "/r/n[DATA]/r/n", sizeof("/r/n[DATA]/r/n"), &dwWriten, NULL);
::WriteFile(hParse, "/r/n[DATA]", sizeof("/r/n[DATA]"), &dwWriten, NULL);
//UDP首部长度为8
char * UdpData=UdpBuf+8;
//分析UDP数据段
for(unsigned int i=0;i<(iBufSize-sizeof(UDP_HEADER));i++)
{
char chData[15];
char chPata[1];
if ( (UdpData[i]>33) && (UdpData[i]<122) )
{
printf("/n%2c [%08x]", UdpData[i], UdpData[i]);
sprintf(chData, "/r/n%2c [%08x]", UdpData[i], UdpData[i]);
}
else
{
printf("/n [%08x]", abs(UdpData[i]));
sprintf(chData, "/r/n [%08x]", UdpData[i]);
}
sprintf(chPata, "%c", UdpData[i]);
::WriteFile(hFile, chData, 15, &dwWriten, NULL);
::WriteFile(hParse, chPata, 1, &dwWriten, NULL);
}
printf("/n[DATA END]/n/n");
::WriteFile(hFile, "/r/n[DATA END]/r/n/r/n", sizeof("/r/n[DATA END]/r/n/r/n"), &dwWriten, NULL);
::WriteFile(hParse, "[DATA END]/r/n", sizeof("[DATA END]/r/n"), &dwWriten, NULL);
}
return true;
}
//ICMP解包程序
int DecodeIcmpPack(char * IcmpBuf, int iBufSize)
{
ICMP_HEADER * pIcmpHeader;
pIcmpHeader = (ICMP_HEADER * )IcmpBuf;
int iIcmpType = pIcmpHeader->i_type;
int iIcmpCode = pIcmpHeader->i_code;
//对类型进行过滤
if ((iPortFilter) && (iIcmpType!=iPortFilter)) return true;
printf("%s ", szProtocol);
//printf("%15s Type%d ->%15s Code%d ", szSourceIP, iIcmpType, szDestIP, iIcmpCode);
printf("%15s ->%15s ", szSourceIP, szDestIP);
printf("TTL=%3d ", iTTL);
printf("Type%2d,%d ",iIcmpType,iIcmpCode);
printf("bytes=%4d", iBufSize);
printf("/n");
//对于包含数据段的包进行数据分析
if ((ParamDecode) && (iBufSize>28))
{
char * IcmpData=IcmpBuf+4;
//分析ICMP数据段
printf(" [DATA]");
for(unsigned int i=0;i<(iBufSize-sizeof(ICMP_HEADER));i++)
{
if (!(i%8)) printf("/n");
if ( (IcmpData[i]>33) && (IcmpData[i]<122) )
printf("%3c [%3x]", IcmpData[i], IcmpData[i]);
else printf(" [%3x]", abs(IcmpData[i]));
}
printf("/n [DATA END]/n/n/n");
}
return true;
}