#cs ____________________________________
Au3 版本: 3.3.6.1
脚本作者: wozijisunfly
Email:
QQ/TM:
脚本版本: v1.0
脚本功能: 实现读取PCAP包后,分析包信息,可以将需要的协议、ip、Port、sequence取出来
#ce _______________脚本开始_________________
;TEST
;精简版的内容可以将IP、PORT、SEQUENCE、DATA信息解析出来,这个很有用啊。
#include <Winpcap.au3>
Opt('MustDeclareVars', 1)
Global $pcapfile = "D:\WorkSpace\meter-tool\winXP_Navicat_11.0.8_linux32_Oracle_11.1.0.7_GB2312-192.168.1.188_1599_ 192.168.1.222_1521.pcap"
;~ If $CmdLine[0] == 1 Then
;~ If StringCompare(_check_file($CmdLine[0]),"yes") == 0 Then
;~ If StringCompare(StringUpper(StringRight($CmdLine[1],5)),".PCAP") == 0 Then
;~ $pcapfile = $CmdLine[1]
;~ Else
;~ _log("给出文件:" & $CmdLine[0] & " 不是PCAP文件。","error")
;~ MsgBox(0,"INFO","执行完成!",3)
;~ Exit
;~ EndIf
;~ Else
;~ _log("给出文件:" & $CmdLine[0] & " 不是系统可读文件。","error")
;~ MsgBox(0,"INFO","执行完成!",3)
;~ Exit
;~ EndIf
;~ Else
;~ _log("给出参数个数为:" & $CmdLine[0] & " 出错,请检查。","error")
;~ MsgBox(0,"INFO","执行完成!",3)
;~ Exit
;~ EndIf
Local $winpcap=_PcapSetup()
If ($winpcap = -1) Then
;~ MsgBox(16,"Pcap error !","WinPcap not found !")
_log("无法获取或调用" & @SystemDir & "\wpcap.dll文件错误。","error")
exit
EndIf
_execute_now($pcapfile)
if IsPtr($pcapfile) Then _PcapStopCapture($pcapfile) ; A capture is still running: close it
_PcapFree()
MsgBox(0,"INFO","执行完成!",3)
Exit
;~ 作者:
;~ 创建时间:2014-10-24
;~ 功能:立刻执行
;~ 参数:$pcap为整个PCAP包的文件路径
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _execute_now($pcapfile)
Local $prom=1
Local $pcap=_PcapStartCapture("file://" & $pcapfile , "" , $prom)
If ($pcap=-1) Then
_log("PCAP文件出错" & _PcapGetLastError(),"error")
EndIf
If IsPtr($pcap) Then ; If $pcap is a Ptr, then the capture is running
Local $time0=TimerInit()
Local $i = 0
If FileExists(@ScriptDir & "\pcap.txt") Then
FileDelete(@ScriptDir & "\pcap.txt")
EndIf
While (TimerDiff($time0)<500000)
; Retrieve packets from queue for maximum 500ms before returning to main loop, not to "hang" the window for user
Local $packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
;~ Local $data=$packet[3]
$i+=1
If StringInStr(MyDissector($packet[3]),"TCP",1) Then
FileWriteLine(@ScriptDir & "\pcap.txt", $i & "->" & MyDissector($packet[3]))
EndIf
Wend
If FileExists(@ScriptDir & "\pcap.txt") Then
Dim $save_ip[10000000],$num = 0,$seq,$get_ip[1000000]
Dim $set_ip[1000000][2]
Local $file = FileOpen(@ScriptDir & "\pcap.txt", 0)
If $file = -1 Then
_log("不能打开 " & @ScriptDir & "\pcap.txt文件,请检查。","error")
Exit
EndIf
While 1
Local $mark = 0,$i
Local $line = FileReadLine($file)
If @error = -1 Then ExitLoop
Local $arr = StringSplit($line,"->",1)
If IsArray($arr) Then
For $i = 0 To $num
If $save_ip[$i] == $arr[3] Then
$mark = 0
$set_ip[$i][0] = $save_ip[$i]
$set_ip[$i][1] = $set_ip[$i][1] + 1
ExitLoop
Else
$mark = 1
ContinueLoop
EndIf
Next
If $mark == 1 Then
$num = $num + 1
$save_ip[$num] = $arr[3]
$get_ip[$num] = $arr[3] & "->" & $arr[4] & "->" & $arr[5]
EndIf
EndIf
Wend
FileClose($file)
If FileExists($pcap_ip_port_seq_file) Then
FileDelete($pcap_ip_port_seq_file)
EndIf
If FileExists(@ScriptDir & "\pcap.txt") Then
FileDelete(@ScriptDir & "\pcap.txt")
EndIf
For $i = 1 To $num
For $j = 1 To $num - $i
If $set_ip[$j][1] < $set_ip[$j+1][1] Then
Local $temp1,$temp2
$temp1 = $set_ip[$j][0]
$set_ip[$j][0] = $set_ip[$j+1][0]
$set_ip[$j+1][0] = $temp1
$temp2 = $set_ip[$j][1]
$set_ip[$j][1] = $set_ip[$j+1][1]
$set_ip[$j+1][1] = $temp2
EndIf
Next
Next
;~ For $i=1 To $num
;~ FileWriteLine(@ScriptDir & "\all.txt",$set_ip[$i][0] & "->" & $set_ip[$i][1])
;~ Next
For $i = 1 To $num
For $j = 1 To $num
If StringInStr($get_ip[$j],$set_ip[$i][0]) == 1 Then
FileWriteLine($pcap_ip_port_seq_file,$get_ip[$j])
EndIf
Next
Next
Else
_log(@ScriptDir & "\pcap.txt文件不存在,请检查。","error")
Exit
EndIf
Else
_log("PCAP文件不能转换一个表达式到指针变量。","error")
EndIf
EndFunc
;~ 作者:
;~ 创建时间:2014-10-24
;~ 功能:获取并分析PCAP包信息
;~ 参数:PCAP包中的数据
;~ 返回值:协议、IP(src/dst)、PORT(src/dst)、SEQUENCE、数据显示
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func MyDissector ($data) ; Quick example packet dissector....
Local $macdst=StringMid ($data,3,2)&":"&StringMid ($data,5,2)&":"&StringMid ($data,7,2)&":"&StringMid ($data,9,2)&":"&StringMid ($data,11,2)&":"&StringMid ($data,13,2)
Local $macsrc=StringMid ($data,15,2)&":"&StringMid ($data,17,2)&":"&StringMid ($data,19,2)&":"&StringMid ($data,21,2)&":"&StringMid ($data,23,2)&":"&StringMid ($data,25,2)
Local $ethertype=BinaryMid ( $data, 13 ,2 )
If $ethertype="0x0806" Then return "ARP " & $macsrc & "->" & $macdst
If $ethertype="0x0800" Then
Local $src=Number(BinaryMid ($data, 27 ,1)) & "." & Number(BinaryMid ($data, 28 ,1)) & "." & Number(BinaryMid ($data, 29 ,1)) & "." & Number(BinaryMid ($data, 30 ,1))
Local $dst=Number(BinaryMid ($data, 31 ,1)) & "." & Number(BinaryMid ($data, 32 ,1)) & "." & Number(BinaryMid ($data, 33 ,1)) & "." & Number(BinaryMid ($data, 34 ,1))
Switch BinaryMid ($data, 24 ,1)
Case "0x01"
return "ICMP " & $src & "->" & $dst
Case "0x02"
return "IGMP " & $src & "->" & $dst
Case "0x06"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
;~ 可以通过Wireshark对PCAP文件的分析,确认sequence好是39、40、41、42的16进制位置
;~ 转换时需要乘256的倍数,也可以根据里面的信息进行进一步分析
Local $sequence=Number(BinaryMid ($data, 39 ,1))*16777216 + Number(BinaryMid ($data, 40 ,1))*65536 + Number(BinaryMid ($data, 41 ,1))*256 + Number(BinaryMid ($data, 42 ,1))
Local $flags=BinaryMid ($data, 48 ,1)
Local $f=""
If BitAND($flags,0x01) Then $f="Fin "
If BitAND($flags,0x02) Then $f&="Syn "
If BitAND($flags,0x04) Then $f&="Rst "
If BitAND($flags,0x08) Then $f&="Psh "
;~ If StringInStr($f,"Psh") Then ;此标志为发送数据
;~ return "TCP("&$f&") "&$src&":"&$srcport&" -> "&$dst&":"&$dstport&" Content: " & BinaryToString(BinaryMid ($data,67))
;~ Else
;~ return "TCP("&$f&") "&$src&":"&$srcport&" -> "&$dst&":"&$dstport
;~ EndIf
If BitAND($flags,0x10) Then $f&="Ack "
If BitAND($flags,0x20) Then $f&="Urg "
If BitAND($flags,0x40) Then $f&="Ecn "
If BitAND($flags,0x80) Then $f&="Cwr "
$f=StringTrimRight(StringReplace($f," ",","),1)
Local $binarydata = BinaryToString(BinaryMid ($data,67),4)
If StringInStr(StringUpper($binarydata),"INSERT") <> 0 Or _
StringInStr(StringUpper($binarydata),"SELECT") <> 0 Or _
StringInStr(StringUpper($binarydata),"DELETE") <> 0 Or _
StringInStr(StringUpper($binarydata),"UPDATE") <> 0 Or _
StringInStr(StringUpper($binarydata),"ALERT") <> 0 Or _
StringInStr(StringUpper($binarydata),"USE") <> 0 Or _
StringInStr(StringUpper($binarydata),"CREATE") <> 0 Or _
StringInStr(StringUpper($binarydata),"DROP") <> 0 Or _
StringInStr(StringUpper($binarydata),"MERGE") <> 0 Or _
StringInStr(StringUpper($binarydata),"COMMIT") <> 0 Or _
StringInStr(StringUpper($binarydata),"ROLLBACK") <> 0 Or _
StringInStr(StringUpper($binarydata),"RENAME") <> 0 Or _
StringInStr(StringUpper($binarydata),"REVOKE") <> 0 Or _
StringInStr(StringUpper($binarydata),"SAVEPOINT") <> 0 Or _
StringInStr(StringUpper($binarydata),"TRUNCAT") <> 0 Or _
StringInStr(StringUpper($binarydata),"EXPLAIN") <> 0 Or _
StringInStr(StringUpper($binarydata),"GRANT") <> 0 Then
return "TCP(" & $f & ")->" & $src & ":" & $srcport & "->" & $dst & ":" & $dstport & "->" & $sequence
EndIf
;return "TCP(" & $f & ")->" & $src & ":" & $srcport & "->" & $dst & ":" & $dstport & "->" & $sequence ;& "->" & BinaryToString(BinaryMid ($data,67),4)
Case "0x11"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
return "UDP "&$src&":"&$srcport&" -> "&$dst&":"&$dstport
Case Else
return "IP "&BinaryMid ($data, 24 ,1)&" "&$src&" -> "&$dst
EndSwitch
return BinaryMid ( $data, 13 ,2 )&" "&$src&" -> "&$dst
EndIf
If $ethertype="0x8137" OR $ethertype="0x8138" OR $ethertype="0x0022" OR $ethertype="0x0025" OR $ethertype="0x002A" OR $ethertype="0x00E0" OR $ethertype="0x00FF" Then
return "IPX "&$macsrc&" -> "&$macdst
EndIf
return "["&$ethertype&"] "&$macsrc&" -> "&$macdst
EndFunc
;~ 作者:
;~ 创建时间:2014-10-17
;~ 功能:生成Log日志
;~ 参数:message记录信息,level出错的级别(info:正常信息打印,warn:提示性错误,error:严重错误导致程序无法运行)
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _log($message,$level="info")
Local $date,$time
$date = @YEAR & "-" & @MON & "-" & @MDAY
$time = "[" & @YEAR & "-" & @MON & "-" & @MDAY & "_" & @HOUR & ":" & @MIN & ":" & @SEC & "." & @MSEC & "-" & $level _
& "]"
If Not FileExists(@ScriptDir & "\Log\") Then
DirCreate(@ScriptDir & "\Log\")
EndIf
FileWriteLine(@ScriptDir & "\Log\" & $date & ".log",@AutoItPID & $time & $message)
EndFunc
;~ 作者:
;~ 创建时间:2014-09-28
;~ 功能:检查文件是否存在于固定路径下
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _check_file($path)
Local $attr
If FileExists($path) Then
$attr = FileGetAttrib($path)
If StringInStr($attr,"N") Or StringInStr($attr,"C") Or StringInStr($attr,"O") Or StringInStr($attr,"A") Then
Return "yes"
Else
Return "no"
EndIf
Else
Return "no"
EndIf
EndFunc
;精简版源码结束
;Winpcap.au3 ==========================源码==========================
; Winpcap autoit3 UDF - V1.2c
; Copyleft GPL3 Nicolas Ricquemaque 2009-2011
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Run_AU3Check=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
; *********************** Initialisation functions **************************
Global $Pcap_dll
Global $Pcap_errbuf
Global $Pcap_ptrhdr
Global $Pcap_ptrpkt
Global $Pcap_statV ; Total volume captured
Global $Pcap_statN ; Total number of packets captured
Global $Pcap_starttime ; Start time of Capture
Global $Pcap_timebias
Func _PcapSetup() ; return WinPCAP version as full text or -1 if winpcap is not installed, and opens dll
If Not FileExists( @SystemDir & "\wpcap.dll") Then return -1
$Pcap_dll=DllOpen ( @SystemDir & "\wpcap.dll" )
$Pcap_errbuf = DLLStructCreate("char[256]")
$Pcap_ptrhdr=0
$Pcap_ptrpkt=0
$Pcap_timebias = (2^32 - RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation", "ActiveTimeBias")) * 60
Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_lib_version")
if (@error > 0) Then return -1
return $v[0]
EndFunc
Func _PcapFree() ; free resources opened by _PcapSetup
DllClose($Pcap_dll)
EndFunc
; *********************** Information functions **************************
Func _PcapGetLastError($pcap=0) ; returns text from last pcap error
If NOT IsPtr($pcap) Then return DllStructGetData($Pcap_errbuf,1)
Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_geterr","ptr",$pcap)
return DllStructGetData($Pcap_errbuf,1)&$v[0]
EndFunc
Func _PcapGetDeviceList() ; returns 2D array with pcap devices (name;desc;mac;ipv4_addr;ipv4_netmask;ipv4_broadaddr;ipv6_addr;ipv6_netmask;ipv6_broadaddr;flags) or -1 if error
Local $alldevs=DLLStructCreate("ptr")
Local $r=DllCall($Pcap_dll, "int:cdecl", "pcap_findalldevs_ex", "str", "rpcap://", "ptr", 0, "ptr", DllStructGetPtr($alldevs), "ptr", DllStructGetPtr($Pcap_errbuf))
if (@error > 0) Then return -1
if $r[0]=-1 Then return -1
Local $next=DllStructGetData($alldevs,1)
Local $list[1][14]
Local $i=0;
while ($next<>0)
Local $pcap_if = DllStructCreate("ptr next;ptr name;ptr desc;ptr addresses;uint flags",$next)
Local $len_name = DllCall("kernel32.dll", "int", "lstrlen", "ptr", DllStructGetData($pcap_if,2))
Local $len_desc = DllCall("kernel32.dll", "int", "lstrlen", "ptr", DllStructGetData($pcap_if,3))
$list[$i][0]=DllStructGetData(DllStructCreate("char["&($len_name[0]+1)&"]",DllStructGetData($pcap_if,2)),1)
$list[$i][1]=DllStructGetData(DllStructCreate("char["&($len_desc[0]+1)&"]",DllStructGetData($pcap_if,3)),1)
Local $next_addr=DllStructGetData($pcap_if,"addresses")
; retrieve mac address
Local $device=StringTrimLeft($list[$i][0],8)
Local $snames = DllStructCreate("char Name["&(StringLen($device)+1)&"]")
DllStructSetData($snames,1,$device)
Local $handle=DllCall("packet.dll", "ptr:cdecl", "PacketOpenAdapter", "ptr", DllStructGetPtr($snames))
If IsPtr($handle[0]) Then
Local $packetoiddata = DllStructCreate("ulong oid;ulong length;ubyte data[6]")
DllStructSetData($packetoiddata,1,0x01010102) ; OID_802_3_CURRENT_ADDRESS
DllStructSetData($packetoiddata,2,6)
Local $status=DllCall("packet.dll", "byte:cdecl", "PacketRequest", "ptr", $handle[0],"byte",0,"ptr",DllStructGetPtr($packetoiddata))
If $status[0] Then
Local $mac=DllStructGetData($packetoiddata,3)
$list[$i][6]=StringMid($mac,3,2)&":"&StringMid($mac,5,2)&":"&StringMid($mac,7,2)&":"&StringMid($mac,9,2)&":"&StringMid($mac,11,2)&":"&StringMid($mac,13,2)
EndIf
Local $nettype = DllStructCreate("uint type;uint64 speed")
$status=DllCall("packet.dll", "byte:cdecl", "PacketGetNetType", "ptr", $handle[0], "ptr", DllStructGetPtr($nettype))
If $status[0] Then
$list[$i][5]=DllStructGetData($nettype,2)
EndIf
DllCall("packet.dll", "none:cdecl", "PacketCloseAdapter", "ptr", $handle[0])
EndIf
; retrieve lintypes
Local $pcap=_PcapStartCapture($list[$i][0],"host 1.2.3.4",0,32)
If IsPtr($pcap) Then
Local $types=_PcapGetLinkType($pcap)
If IsArray($types) Then
$list[$i][2]=$types[0]
$list[$i][3]=$types[1]
$list[$i][4]=$types[2]
EndIf
_PcapStopCapture($pcap)
EndIf
; retrieve ip addresses
while $next_addr<>0
Local $pcap_addr = DllStructCreate("ptr next;ptr addr;ptr netmask;ptr broadaddr;ptr dst",$next_addr)
Local $j,$addr
For $j=2 to 4
$addr=_PcapSock2addr(DllStructGetData($pcap_addr,$j))
If StringLen($addr)>15 Then
$list[$i][$j+8]=$addr
ElseIf StringLen($addr)>6 Then
$list[$i][$j+5]=$addr
EndIf
Next
$next_addr=DllStructGetData($pcap_addr,1)
Wend
$list[$i][13]=DllStructGetData($pcap_if,5)
$next=DllStructGetData($pcap_if,1)
$i+=1
if $next<>0 Then Redim $list[$i+1][14]
Wend
DllCall($Pcap_dll, "none:cdecl", "pcap_freealldevs", "ptr", DllStructGetData($alldevs,1))
return $list
EndFunc
Func _PcapGetLinkType($pcap) ; returns a array with LinkType for opened capture $pcap. [0]: int value of link type, [1] name of linktype, [2] description of linktype
If NOT IsPtr($pcap) Then return -1
Local $type[3]
Local $t=DllCall($Pcap_dll, "int:cdecl", "pcap_datalink", "ptr", $pcap)
$type[0]=$t[0]
Local $name=DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_name", "int", $t[0])
$type[1]=$name[0]
Local $desc=DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_description", "int", $t[0])
$type[2]=$desc[0]
return $type
EndFunc
Func _PcapListLinkTypes($pcap) ; returns a 2D array with possible LinkTypes for opened capture $pcap. For each one: [0]: int value of link type, [1] name of linktype, [2] description of linktype
If NOT IsPtr($pcap) Then return -1
Local $ptr=DLLStructCreate("ptr")
Local $n=DllCall($Pcap_dll, "int:cdecl", "pcap_list_datalinks", "ptr", $pcap,"ptr",DllStructGetPtr($ptr))
if $n[0]<1 then return -1
Local $dlts=DLLStructCreate("int["&$n[0]&"]",DllStructGetData($ptr,1))
Local $i,$name,$desc
Local $types[$n[0]][3]
For $i=0 to $n[0]-1
$types[$i][0]=DllStructGetData($dlts,1,$i+1)
$name=DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_name", "int", $types[$i][0])
$types[$i][1]=$name[0]
$desc=DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_description", "int", $types[$i][0])
$types[$i][2]=$desc[0]
Next
return $types
EndFunc
Func _PcapSetLinkType($pcap,$dlt)
If NOT IsPtr($pcap) Then return -1
Local $n=DllCall($Pcap_dll, "int:cdecl", "pcap_set_datalink", "ptr", $pcap,"int",$dlt)
return $n[0]
EndFunc
Func _PcapGetStats($pcap) ; returns array [0]=received packets [1]=droped packets by driver [2]=dropped packets by if [3]=captured packets [4]=Captured volume in bytes [5]=time in ms since beginning
If NOT IsPtr($pcap) Then return -1
Local $statsize=DLLStructCreate("int")
Local $s=DllCall($Pcap_dll, "ptr:cdecl", "pcap_stats_ex", "ptr", $pcap, "ptr", DllStructGetPtr($statsize))
If $s[0]=0 Then return -1
Local $stats=DLLStructCreate("uint recv;uint drop;uint ifdrop;uint capt",$s[0])
Local $ps[6][2]
$ps[0][0]=DllStructGetData($stats,1)
$ps[0][1]="Packets received by Interface"
$ps[1][0]=DllStructGetData($stats,2)
$ps[1][1]="Packets dropped by WinPcap"
$ps[2][0]=DllStructGetData($stats,3)
$ps[2][1]="Packets dropped by Interface"
$ps[3][0]=DllStructGetData($stats,4)
$ps[3][1]="Packets captured"
$ps[4][0]=$PCap_statV
$ps[4][1]="Bytes in packets captured"
$ps[5][0]=int(TimerDiff($Pcap_starttime))
$ps[5][1]="mS since capture start"
return $ps
EndFunc
; *********************** Capture functions **************************
Func _PcapStartCapture($DeviceName,$filter="",$promiscuous=0,$PacketLen=65536,$buffersize=0,$realtime=1) ; start a capture in non-blocking mode on device $DeviceName with optional parameters: $PacketLen, $promiscuous, $filter. Returns -1 on failure or pcap handler
Local $handle=DllCall($Pcap_dll, "ptr:cdecl", "pcap_open", "str", $DeviceName, "int", $PacketLen, "int",$promiscuous,"int",1000,"ptr",0,"ptr", DllStructGetPtr($Pcap_errbuf) )
if (@error > 0) Then return -1
if ($handle[0] = 0) Then return -1
DllCall($Pcap_dll, "int:cdecl", "pcap_setnonblock", "ptr", $handle[0], "int", 1, "ptr", DllStructGetPtr($Pcap_errbuf))
if ($filter<>"") Then
Local $fcode=DLLStructCreate("UINT;ptr")
Local $comp=DllCall($Pcap_dll, "int:cdecl", "pcap_compile", "ptr", $handle[0], "ptr", DllStructGetPtr($fcode), "str", $filter,"int", 1, "int",0)
if ($comp[0]=-1) Then
Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_geterr","ptr",$handle[0])
DLLStructSetData($Pcap_errbuf,1,"Filter: "&$v[0])
_PcapStopCapture($handle[0])
return -1
EndIf
Local $set=DllCall($Pcap_dll, "int:cdecl", "pcap_setfilter", "ptr", $handle[0], "ptr", DllStructGetPtr($fcode))
if ($set[0]=-1) Then
Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_geterr","ptr",$handle[0])
DLLStructSetData($Pcap_errbuf,1,"Filter: "&$v[0])
_PcapStopCapture($handle[0])
return -1
DllCall($Pcap_dll, "none:cdecl", "pcap_freecode", "ptr", $fcode)
EndIf
EndIf
If $buffersize>0 Then DllCall($Pcap_dll, "int:cdecl", "pcap_setbuff", "ptr", $handle[0], "int", $buffersize)
If $realtime Then DllCall($Pcap_dll, "int:cdecl", "pcap_setmintocopy", "ptr", $handle[0], "int", 1)
$Pcap_statV=0
$Pcap_statN=0
$Pcap_starttime=TimerInit()
return $handle[0]
EndFunc
Func _PcapStopCapture($pcap) ; stop capture started with _PcapStartCapture
If NOT IsPtr($pcap) Then return
DllCall($Pcap_dll, "none:cdecl", "pcap_close", "ptr", $pcap)
EndFunc
Func _PcapGetPacket($pcap) ; return 0: timeout, -1:error, -2:EOF in file or if successfull array[0]=time [1]=captured len [2]=packet len [3]=packet data
If NOT IsPtr($pcap) Then return -1
$Pcap_ptrhdr=DllStructCreate ("ptr")
$Pcap_ptrpkt=DllStructCreate ("ptr")
Local $pk[4]
Local $res = DllCall($Pcap_dll, "int:cdecl", "pcap_next_ex","ptr",$pcap, "ptr",DllStructGetPtr($Pcap_ptrhdr),"ptr",DllStructGetPtr($Pcap_ptrpkt))
If ($res[0]<>1) Then return $res[0]
Local $pkthdr=DllStructCreate ( "int s;int us;int caplen;int len",DllStructGetData($Pcap_ptrhdr,1))
Local $packet=DLLStructCreate("ubyte["&DllStructGetData($pkthdr,3)&"]",DllStructGetData($Pcap_ptrpkt,1))
Local $time_t=Mod(DllStructGetData($pkthdr,1)+$Pcap_timebias,86400)
$pk[0]=StringFormat ("%02d:%02d:%02d.%06d",int($time_t/3600),int(Mod($time_t,3600)/60),Mod($time_t,60),DllStructGetData($pkthdr,2))
$pk[1]=DllStructGetData($pkthdr,3)
$pk[2]=DllStructGetData($pkthdr,4)
$pk[3]=DllStructGetData($packet,1)
; stats
$Pcap_statV+=$pk[2]
$Pcap_statN+=1
return $pk
EndFunc
Func _PcapSendPacket($pcap,$data) ; data in Binary Format
If NOT IsPtr($pcap) Then return -1
Local $databuffer=DllStructCreate ("ubyte["&BinaryLen($data)&"]")
DLLStructSetData($databuffer,1,$data)
Local $r=DllCall($Pcap_dll, "int:cdecl", "pcap_sendpacket","ptr",$pcap, "ptr",DllStructGetPtr($databuffer),"int",BinaryLen($data))
return $r[0]
EndFunc
Func _PcapDispatchToFunc($pcap,$func) ; call $func with an data array as parameters as many times as there are packets in buffer, then returns the number of packets read or -1 (error) or -2 (break received)
If NOT IsPtr($pcap) Then return -1
Local $CallBack = DLLCallbackRegister ("_PcapHandler", "none:cdecl", "str;ptr;ptr")
If $CallBack=0 Then return -1
Local $r=DllCall($Pcap_dll, "int:cdecl", "pcap_dispatch", "ptr", $pcap, "int",-1, "ptr", DllCallbackGetPtr($CallBack), "str", $func)
DllCallbackFree ( $CallBack )
return $r[0]
EndFunc
Func _PcapHandler($user,$hdr,$data)
Local $pk[4]
Local $pkthdr=DllStructCreate ( "int s;int us;int caplen;int len",$hdr)
Local $packet=DLLStructCreate("ubyte["&DllStructGetData($pkthdr,3)&"]",$data)
Local $time_t=Mod(DllStructGetData($pkthdr,1)+$Pcap_timebias,86400)
$pk[0]=StringFormat ("%02d:%02d:%02d.%06d",int($time_t/3600),int(Mod($time_t,3600)/60),Mod($time_t,60),DllStructGetData($pkthdr,2))
$pk[1]=DllStructGetData($pkthdr,3)
$pk[2]=DllStructGetData($pkthdr,4)
$pk[3]=DllStructGetData($packet,1)
; stats
$Pcap_statV+=$pk[2]
$Pcap_statN+=1
call($user,$pk)
EndFunc
Func _PcapIsPacketReady($pcap)
If NOT IsPtr($pcap) Then return -1
Local $handle=DllCall($Pcap_dll, "ptr:cdecl", "pcap_getevent", "ptr", $pcap)
Local $state = DllCall("kernel32.dll", "dword", "WaitForSingleObject", "ptr", $handle[0],"dword",0)
return $state[0]=0
EndFunc
; *********************** Save to file functions **************************
Func _PcapSaveToFile($pcap,$filename) ; Open a file to save packets in pcap format
If NOT IsPtr($pcap) Then return -1
Local $save=DllCall($Pcap_dll, "ptr:cdecl", "pcap_dump_open", "ptr", $pcap, "str", $filename)
if $save[0]=0 then return -1
return $save[0]
EndFunc
Func _PcapWriteLastPacket($handle) ; Write the last received packet to file opened by _PcapSaveToFile
if NOT IsPtr($handle) Then return -1
DllCall($Pcap_dll, "none:cdecl", "pcap_dump", "ptr", $handle, "ptr", DllStructGetData($Pcap_ptrhdr,1), "ptr", DllStructGetData($Pcap_ptrpkt,1))
EndFunc
Func _PcapStopCaptureFile($handle) ; Close capture file opened by _PcapSaveToFile
if NOT IsPtr($handle) Then return -1
DllCall($Pcap_dll, "none:cdecl", "pcap_dump_close", "ptr", $handle)
EndFunc
; *********************** Utility functions **************************
Func _PcapSock2addr ($sockaddr_ptr) ; internat function to convert a sockaddr structure into an string containing an IP address
If ($sockaddr_ptr=0) Then return ""
Local $sockaddr = DllStructCreate("ushort family;char data[14]",$sockaddr_ptr)
Local $family=DllStructGetData($sockaddr,1)
If ($family = 2) Then ; AF_INET = IPv4
Local $sockaddr_in = DllStructCreate("short family;ushort port;ubyte addr[4];char zero[8]",$sockaddr_ptr)
return DllStructGetData($sockaddr_in,3,1)&"."&DllStructGetData($sockaddr_in,3,2)&"."&DllStructGetData($sockaddr_in,3,3)&"."&DllStructGetData($sockaddr_in,3,4)
EndIf
If ($family = 23) Then ; AF_INET6 = IPv6
Local $sockaddr_in6 = DllStructCreate("ushort family;ushort port;uint flow;ubyte addr[16];uint scope",$sockaddr_ptr)
Local $bin=DllStructGetData($sockaddr_in6,4)
Local $i,$ipv6
For $i=0 to 7
$ipv6&=StringMid($bin,3+$i*4,4)&":"
Next
return StringTrimRight($ipv6,1)
EndIf
return ""
EndFunc
; Extract a $bytes bytes value from a $data binary string, starting from offset $offset (1 for first byte)
Func _PcapBinaryGetVal($data,$offset,$bytes)
Local $val32=Dec(StringMid($data, 3+($offset-1)*2 ,$bytes*2))
If $val32<0 Then return 2^32+$val32
return $val32
EndFunc
; Sets (replaces) a $bytes (up to 8) bytes value $value inside a $data binary string, starting at offset $offset (1 for first byte)
; User should make sure before calling this function that $data contains at least $offset+$bytes binary bytes !
Func _PcapBinarySetVal(Byref $data,$offset,$value,$bytes)
$data=StringReplace($data,3+($offset-1)*2,hex($value,$bytes*2))
EndFunc
; $data is the packet data as a binary string
; $ipoffset is offset to the ip header; 14 bytes by default for an ethernet frame
; one should check before calling this function that data actualy contains an IP packet !
Func _PcapIpCheckSum ($data,$ipoffset=14)
Local $iplen=BitAnd(_PcapBinaryGetVal($data,$ipoffset+1,1),0xF)*4
Local $sum=0,$i
For $i=1 To $iplen step 2
$sum+=BitAnd(0xFFFF,_PcapBinaryGetVal($data,$ipoffset+$i,2))
Next
$sum-=_PcapBinaryGetVal($data,$ipoffset+11,2)
While $sum>0xFFFF
$sum = BitAnd($sum,0xFFFF)+BitShift($sum,16)
Wend
return BitXOR($sum,0xFFFF)
EndFunc
; $data is the packet data as a binary string
; $ipoffset is offset to the ip header; 14 bytes by default for an ethernet frame
; one should check before calling this function that data actualy contains an ICMP packet !
Func _PcapIcmpCheckSum ($data,$ipoffset=14)
Local $iplen=BitAnd(_PcapBinaryGetVal($data,$ipoffset+1,1),0xF)*4
Local $len=_PcapBinaryGetVal($data,$ipoffset+3,2)-$iplen ; ip len - ip header len
Local $sum=0,$i
For $i=1 To BitAnd($len,0xFFFE) step 2
$sum+=BitAnd(0xFFFF,_PcapBinaryGetVal($data,$ipoffset+$iplen+$i,2))
Next
If BitAnd($len,1) Then
$sum+=BitAnd(0xFF00,BitShift(_PcapBinaryGetVal($data,$ipoffset+$iplen+$len,1),-8))
EndIf
$sum-=_PcapBinaryGetVal($data,$ipoffset+$iplen+3,2)
While $sum>0xFFFF
$sum = BitAnd($sum,0xFFFF)+BitShift($sum,16)
Wend
return BitXOR($sum,0xFFFF)
EndFunc
; $data is the packet data as a binary string
; $ipoffset is offset to the ip header; 14 bytes by default for an ethernet frame
; one should check before calling this function that data actualy contains a TCP packet !
Func _PcapTcpCheckSum ($data,$ipoffset=14)
Local $iplen=BitAnd(_PcapBinaryGetVal($data,$ipoffset+1,1),0xF)*4
Local $len=_PcapBinaryGetVal($data,$ipoffset+3,2)-$iplen ; ip len - ip header len
Local $sum=0,$i
For $i=1 To BitAnd($len,0xFFFE) step 2
$sum+=BitAnd(0xFFFF,_PcapBinaryGetVal($data,$ipoffset+$iplen+$i,2))
Next
If BitAnd($len,1) Then
$sum+=BitAnd(0xFF00,BitShift(_PcapBinaryGetVal($data,$ipoffset+$iplen+$len,1),-8))
EndIf
$sum+=_PcapBinaryGetVal($data,$ipoffset+13,2)+_PcapBinaryGetVal($data,$ipoffset+15,2)+_PcapBinaryGetVal($data,$ipoffset+17,2)+_PcapBinaryGetVal($data,$ipoffset+19,2)+$len+6-_PcapBinaryGetVal($data,$ipoffset+$iplen+17,2) ; tcp pseudo header
While $sum>0xFFFF
$sum = BitAnd($sum,0xFFFF)+BitShift($sum,16)
Wend
return BitXOR($sum,0xFFFF)
EndFunc
; $data is the packet data as a binary string
; $ipoffset is offset to the ip header; 14 bytes by default for an ethernet frame
; one should check before calling this function that data actualy contains a UDP packet !
; Also, if the packet UDP value is set to 0x0000, no need to call this function, it means the CRC is not used in this packet.
Func _PcapUdpCheckSum ($data,$ipoffset=14)
Local $iplen=BitAnd(_PcapBinaryGetVal($data,$ipoffset+1,1),0xF)*4
Local $len=_PcapBinaryGetVal($data,$ipoffset+3,2)-$iplen ; ip len - ip header len
Local $sum=0,$i
For $i=1 To BitAnd($len,0xFFFE) step 2
$sum+=BitAnd(0xFFFF,_PcapBinaryGetVal($data,$ipoffset+$iplen+$i,2))
Next
If BitAnd($len,1) Then
$sum+=BitAnd(0xFF00,BitShift(_PcapBinaryGetVal($data,$ipoffset+$iplen+$len,1),-8))
EndIf
$sum+=_PcapBinaryGetVal($data,$ipoffset+13,2)+_PcapBinaryGetVal($data,$ipoffset+15,2)+_PcapBinaryGetVal($data,$ipoffset+17,2)+_PcapBinaryGetVal($data,$ipoffset+19,2)+$len+17-_PcapBinaryGetVal($data,$ipoffset+$iplen+7,2) ; udp pseudo header
While $sum>0xFFFF
$sum = BitAnd($sum,0xFFFF)+BitShift($sum,16)
Wend
Local $crc=BitXOR($sum,0xFFFF)
If $crc=0x0000 Then return 0xFFFF
return $crc
EndFunc
Func _PcapCleanDeviceName($fullname) ; returns a cleaner device name without 'Network adapter ' etc if any
Local $name=StringRegExp($fullname,"^Network adapter '(.*)' on",1)
If @error=0 Then return StringStripWS($name[0],7)
return StringStripWS($fullname,7)
EndFunc
;Winpcap.au3 ==========================源码==========================
;PCAP解析的一个实例 ==========================源码==========================
; Winpcap autoit3 UDF demo - V1.2c
; Copyleft GPL3 Nicolas Ricquemaque 2009-2011
#include <Array.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#Include <GuiListView.au3>
#include <StaticConstants.au3>
#include <ComboConstants.au3>
#include <Winpcap.au3>
$winpcap=_PcapSetup()
If ($winpcap=-1) Then
MsgBox(16,"Pcap error !","WinPcap not found !")
exit
EndIf
$pcap_devices=_PcapGetDeviceList()
If ($pcap_devices=-1) Then
MsgBox(16,"PcapGetDevice error !",_PcapGetLastError())
exit
EndIf
GUICreate("Packet capture", 500, 350)
$interface=GUICtrlCreateCombo("", 80, 15, 400,default,$CBS_DROPDOWNLIST)
GUICtrlSetData(-1, "Pcap capture file")
For $i = 0 to Ubound($pcap_devices)-1
GUICtrlSetData(-1, $pcap_devices[$i][1])
Next
$filter=GUICtrlCreateInPut ("tcp port 80", 80, 45, 300)
$promiscuous=GUICtrlCreateCheckbox ( "promiscuous", 400, 45)
$start=GUICtrlCreateButton ( "Start", 20, 310, 60)
$stop=GUICtrlCreateButton ( "Stop", 110, 310,60)
GUICtrlSetState (-1, $GUI_DISABLE )
$clear=GUICtrlCreateButton ( "Clear", 200, 310,60)
$stats=GUICtrlCreateButton ( "Stats", 290, 310,60)
GUICtrlSetState (-1, $GUI_DISABLE )
$save=GUICtrlCreateCheckbox ( "Save packets", 395, 310,90,30)
GUICtrlSetStyle(GUICtrlCreateLabel ( "Interface :", 10, 20, 60),$SS_RIGHT)
GUICtrlSetStyle(GUICtrlCreateLabel ( "Filter :", 10, 50, 60),$SS_RIGHT)
$packetwindow = GUICtrlCreateListView("No|Time|Len|Packet", 10, 90, 480, 200)
_GUICtrlListView_SetColumn($packetwindow,0,"No",40,1)
_GUICtrlListView_SetColumnWidth($packetwindow, 1, 80)
_GUICtrlListView_SetColumn($packetwindow,2,"Len",40,1)
_GUICtrlListView_SetColumnWidth($packetwindow, 3, 300)
GUISetState()
$i=0
$pcap=0
$packet=0
$pcapfile=0
Do
$msg = GUIGetMsg()
If ($msg=$start) Then
If GUICtrlRead($promiscuous)=$GUI_CHECKED Then
$prom=1
Else
$prom=0
EndIf
$int=""
If (GUICtrlRead($interface)="Pcap capture file") Then
$file=FileOpenDialog ( "Pcap file to open ?", ".", "Pcap (*.pcap)|All files (*.*)" ,1 )
If $file="" Then ContinueLoop
$int="file://"&$file
Else
For $n = 0 to Ubound($pcap_devices)-1
If $pcap_devices[$n][1]=GUICtrlRead($interface) Then
$int=$pcap_devices[$n][0]
ExitLoop
EndIf
Next
EndIf
$pcap=_PcapStartCapture($int,GUICtrlRead($filter),$prom)
If ($pcap=-1) Then
MsgBox(16,"Pcap error !",_PcapGetLastError())
ContinueLoop
EndIf
$linktype=_PcapGetLinkType($pcap)
If ($linktype[1]<>"EN10MB") Then
MsgBox(16,"Pcap error !","This example only works for Ethernet captures")
ContinueLoop
Endif
If GUICtrlRead($save)=$GUI_CHECKED Then
$file=FileSaveDialog ( "Pcap file to write to ?", ".", "Pcap (*.pcap)" ,16 )
If ($file<>"") Then
If StringLower(StringRight($file,5))<>".pcap" Then $file&=".pcap"
$pcapfile=_PcapSaveToFile($pcap,$file)
If ($pcapfile=0) Then MsgBox(16,"Pcap error !",_PcapGetLastError())
EndIf
EndIf
GUICtrlSetState ($stop, $GUI_ENABLE)
GUICtrlSetState ($stats, $GUI_ENABLE)
GUICtrlSetState ($start, $GUI_DISABLE)
GUICtrlSetState ($save, $GUI_DISABLE)
EndIf
If ($msg=$stop) Then
If IsPtr($pcapfile) Then
_PcapStopCaptureFile($pcapfile)
$pcapfile=0
EndIf
if Not IsInt($pcap) Then _PcapStopCapture($pcap)
$pcap=0
GUICtrlSetState ($stop, $GUI_DISABLE)
GUICtrlSetState ($stats, $GUI_DISABLE)
GUICtrlSetState ($start, $GUI_ENABLE)
GUICtrlSetState ($save, $GUI_ENABLE)
EndIf
If ($msg=$clear) Then
_PcapGetStats($pcap)
_GUICtrlListView_DeleteAllItems($packetwindow)
$i=0
EndIf
If ($msg=$stats) Then
$s=_PcapGetStats($pcap)
_ArrayDisplay($s,"Capture statistics")
EndIf
If IsPtr($pcap) Then ; If $pcap is a Ptr, then the capture is running
$time0=TimerInit()
While (TimerDiff($time0)<500) ; Retrieve packets from queue for maximum 500ms before returning to main loop, not to "hang" the window for user
$packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
GUICtrlCreateListViewItem($i&"|"&StringTrimRight($packet[0],4)&"|"&$packet[2]&"|"&MyDissector($packet[3]), $packetwindow)
$data=$packet[3]
_GUICtrlListView_EnsureVisible($packetwindow, $i)
$i+=1
If IsPtr($pcapfile) Then _PcapWriteLastPacket($pcapfile)
FileWriteLine(@ScriptDir & "\pcap.txt", MyDissector($packet[3]))
Wend
EndIf
Until $msg=$GUI_EVENT_CLOSE
If IsPtr($pcapfile) Then _PcapStopCaptureFile($pcapfile) ; A file is still open: close it
if IsPtr($pcap) Then _PcapStopCapture($pcap) ; A capture is still running: close it
_PcapFree()
Exit
Func MyDissector ($data) ; Quick example packet dissector....
Local $macdst=StringMid ($data,3,2)&":"&StringMid ($data,5,2)&":"&StringMid ($data,7,2)&":"&StringMid ($data,9,2)&":"&StringMid ($data,11,2)&":"&StringMid ($data,13,2)
Local $macsrc=StringMid ($data,15,2)&":"&StringMid ($data,17,2)&":"&StringMid ($data,19,2)&":"&StringMid ($data,21,2)&":"&StringMid ($data,23,2)&":"&StringMid ($data,25,2)
Local $ethertype=BinaryMid ( $data, 13 ,2 )
If $ethertype="0x0806" Then return "ARP "&$macsrc&" -> "&$macdst
If $ethertype="0x0800" Then
Local $src=Number(BinaryMid ($data, 27 ,1))&"."&Number(BinaryMid ($data, 28 ,1))&"."&Number(BinaryMid ($data, 29 ,1))&"."&Number(BinaryMid ($data, 30 ,1))
Local $dst=Number(BinaryMid ($data, 31 ,1))&"."&Number(BinaryMid ($data, 32 ,1))&"."&Number(BinaryMid ($data, 33 ,1))&"."&Number(BinaryMid ($data, 34 ,1))
Switch BinaryMid ($data, 24 ,1)
Case "0x01"
return "ICMP "&$src&" -> "&$dst
Case "0x02"
return "IGMP "&$src&" -> "&$dst
Case "0x06"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
;~ 可以通过Wireshark对PCAP文件的分析,确认sequence好是39、40、41、42的16进制位置
;~ 转换时需要乘256的倍数,也可以根据里面的信息进行进一步分析
Local $sequence=Number(BinaryMid ($data, 39 ,1))*16777216 + Number(BinaryMid ($data, 40 ,1))*65536 + Number(BinaryMid ($data, 41 ,1))*256 + Number(BinaryMid ($data, 42 ,1))
Local $flags=BinaryMid ($data, 48 ,1)
Local $f=""
If BitAND($flags,0x01) Then $f="Fin "
If BitAND($flags,0x02) Then $f&="Syn "
If BitAND($flags,0x04) Then $f&="Rst "
If BitAND($flags,0x08) Then $f&="Psh "
If BitAND($flags,0x10) Then $f&="Ack "
If BitAND($flags,0x20) Then $f&="Urg "
If BitAND($flags,0x40) Then $f&="Ecn "
If BitAND($flags,0x80) Then $f&="Cwr "
$f=StringTrimRight(StringReplace($f," ",","),1)
return "TCP("&$f&") "&$src&":"&$srcport&" -> "&$dst&":"&$dstport & "===" & $sequence
Case "0x11"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
return "UDP "&$src&":"&$srcport&" -> "&$dst&":"&$dstport
Case Else
return "IP "&BinaryMid ($data, 24 ,1)&" "&$src&" -> "&$dst
EndSwitch
return BinaryMid ( $data, 13 ,2 )&" "&$src&" -> "&$dst
EndIf
If $ethertype="0x8137" OR $ethertype="0x8138" OR $ethertype="0x0022" OR $ethertype="0x0025" OR $ethertype="0x002A" OR $ethertype="0x00E0" OR $ethertype="0x00FF" Then
return "IPX "&$macsrc&" -> "&$macdst
EndIf
return "["&$ethertype&"] "&$macsrc&" -> "&$macdst
EndFunc
;PCAP解析的一个实例 ==========================源码==========================