📄 548.htm
字号:
For example, `ether[0] & 1 != 0' catches all multicast traf <br>
? fic. The expression `ip[0] & 0xf != 5' catches all IP pac <br>
k? ets with options. The expression `ip[6:2] & 0x1fff = <br>
0' <br>
catches only unfragmented datagrams and frag zero of frag <br>
? mented datagrams. This check is implicitly applied to t <br>
he <br>
tcp and udp index operations. For instance, tcp[0] alway <br>
s <br>
means the first byte of the TCP header, and never means th <br>
e <br>
first byte of an intervening fragment. <br>
<br>
Primitives may be combined using: <br>
<br>
A parenthesized group of primitives and operators (parenthe <br>
? ses are special to the Shell and must be escaped). <br>
<br>
Negation (`!' or `not'). <br>
<br>
Concatenation (`&&' or `and'). <br>
<br>
Alternation (`||' or `or'). <br>
<br>
Negation has highest precedence. Alternation and concatenatio <br>
n <br>
have equal precedence and associate left to right. Note tha <br>
t <br>
explicit and tokens, not juxtaposition, are now required for con <br>
? catenation. <br>
<br>
If an identifier is given without a keyword, the most recent key <br>
? word is assumed. For example, <br>
not host vs and ace <br>
is short for <br>
not host vs and host ace <br>
which should not be confused with <br>
not ( host vs or ace ) <br>
<br>
Expression arguments can be passed to tcpdump as either a singl <br>
e <br>
argument or as multiple arguments, whichever is more convenient <br>
. <br>
Generally, if the expression contains Shell metacharacters, it i <br>
s <br>
easier to pass it as a single, quoted argument. Multiple argument <br>
s <br>
are concatenated with spaces before being parsed. <br>
<br>
EXAMPLES <br>
To print all packets arriving at or departing from sundown: <br>
tcpdump host sundown <br>
<br>
To print traffic between helios and either hot or ace: <br>
tcpdump host helios and \( hot or ace \) <br>
<br>
To print all IP packets between ace and any host except helios: <br>
tcpdump ip host ace and not helios <br>
<br>
To print all traffic between local hosts and hosts at Berkeley: <br>
tcpdump net ucb-ether <br>
<br>
To print all ftp traffic through internet gateway snup: (note that th <br>
e <br>
expression is quoted to prevent the shell from (mis-)interpreting th <br>
e <br>
parentheses): <br>
tcpdump 'gateway snup and (port ftp or ftp-data)' <br>
<br>
To print traffic neither sourced from nor destined for local hosts (if yo <br>
u <br>
gateway to one other net, this stuff should never make it onto your loca <br>
l <br>
net). <br>
tcpdump ip and not net localnet <br>
<br>
<br>
To print the start and end packets (the SYN and FIN packets) of each TC <br>
P <br>
conversation that involves a non-local host. <br>
tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet' <br>
<br>
To print IP packets longer than 576 bytes sent through gateway snup: <br>
tcpdump 'gateway snup and ip[2:2] > 576' <br>
<br>
To print IP broadcast or multicast packets that were not sent via etherne <br>
t <br>
broadcast or multicast: <br>
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' <br>
<br>
To print all ICMP packets that are not echo requests/replies (i.e., no <br>
t <br>
ping packets): <br>
tcpdump 'icmp[0] != 8 and icmp[0] != 0" <br>
<br>
<br>
Ok, so that is a lot of info (and probably more than we need) but it gives us a <br>
starting point. So lets give this a shot... on my network I have a linux box and <br>
a windoze machine connected to a non switched hub. Therefore, if I place my eth <br>
ernet card <br>
in promiscuous mode on my linux machine I should be able to see all traffic goin <br>
g to (and coming from) my windows machine. So lets see if the examples from the <br>
man page will work if directly fed to pcap_compile.. <br>
<br>
Consider the following program... (download here) <br>
/********************************************************************** <br>
* file: testpcap3.c <br>
* date: Sat Apr 07 23:23:02 PDT 2001 <br>
* Author: Martin Casado <br>
* Last Modified:2001-Apr-07 11:23:05 PM <br>
* <br>
* Investigate using filter programs with pcap_compile() and <br>
* pcap_setfilter() <br>
* <br>
**********************************************************************/ <br>
<br>
#include <pcap.h> <br>
#include <stdio.h> <br>
#include <stdlib.h> <br>
#include <errno.h> <br>
#include <sys/socket.h> <br>
#include <netinet/in.h> <br>
#include <arpa/inet.h> <br>
#include <netinet/if_ether.h> <br>
<br>
/* just print a count every time we have a packet... */ <br>
void my_callback(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char* <br>
packet) <br>
{ <br>
static int count = 1; <br>
fprintf(stdout,"%d, ",count); <br>
fflush(stdout); <br>
count++; <br>
} <br>
<br>
int main(int argc,char **argv) <br>
{ <br>
int i; <br>
char *dev; <br>
char errbuf[PCAP_ERRBUF_SIZE]; <br>
pcap_t* descr; <br>
const u_char *packet; <br>
struct pcap_pkthdr hdr; /* pcap.h */ <br>
struct ether_header *eptr; /* net/ethernet.h */ <br>
struct bpf_program fp; /* hold compiled program */ <br>
bpf_u_int32 maskp; /* subnet mask */ <br>
bpf_u_int32 netp; /* ip */ <br>
<br>
<br>
if(argc != 2){ fprintf(stdout,"Usage: %s \"filter program\"\n" <br>
,argv[0]);return 0;} <br>
<br>
/* grab a device to peak into... */ <br>
dev = pcap_lookupdev(errbuf); <br>
if(dev == NULL) <br>
{ fprintf(stderr,"%s\n",errbuf); exit(1); } <br>
<br>
/* ask pcap for the network address and mask of the device */ <br>
pcap_lookupnet(dev,&netp,&maskp,errbuf); <br>
<br>
/* open device for reading this time lets set it in promiscuous <br>
* mode so we can monitor traffic to another machine */ <br>
descr = pcap_open_live(dev,BUFSIZ,1,-1,errbuf); <br>
if(descr == NULL) <br>
{ printf("pcap_open_live(): %s\n",errbuf); exit(1); } <br>
<br>
/* Lets try and compile the program.. non-optimized */ <br>
if(pcap_compile(descr,&fp,argv[1],0,netp) == -1) <br>
{ fprintf(stderr,"Error calling pcap_compile\n"); exit(1); } <br>
<br>
/* set the compiled program as the filter */ <br>
if(pcap_setfilter(descr,&fp) == -1) <br>
{ fprintf(stderr,"Error setting filter\n"); exit(1); } <br>
<br>
/* ... and loop */ <br>
pcap_loop(descr,-1,my_callback,NULL); <br>
<br>
return 0; <br>
} <br>
<br>
So, this program accepts a string from the user, (similar to tcpdump) compiles i <br>
t and sets it as a filter. Lets go ahead and try it with an example similar to t <br>
he one in the tcpdump examples.. <br>
<br>
[root@localhost libpcap]# gcc testpcap3.c -lpcap <br>
[root@localhost libpcap]# ./a.out "host www.google.com" <br>
(** try and ping www.slashdot.org ... nothing **) <br>
(** try and ping www.google.com **) <br>
1, 2, 3, 4, 5, 6, <br>
(** hurray! **) <br>
<br>
It looks like our filter program worked!!! Lets try to see if we can capture pac <br>
kets from a different machine on the same network.... how about my windows machi <br>
ne when it connects to battle.net.. <br>
<br>
[root@localhost libpcap]# ./a.out "src 192.168.1.104" <br>
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 2 <br>
3, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, <br>
<br>
Yes yes!!! we are getting very close to actually having some power, but first we <br>
need to find out how to look inside the packets and pull out information. At la <br>
st! the next section will delve into disecting packets so we can really analyze <br>
what is <br>
going on in our networks!! <br>
-------------------------------------------------------------------------------- <br>
<br>
[prev] [socket home ] [next] <br>
-- <br>
telnet apue.dhs.org 2323 or http://apue.dhs.org <br>
APUE:UNIX环境编程 <br>
UNP:UNIX网络编程 <br>
UKP:UNIX内核编程 <br>
BIBLE:高手传经 <br>
FTPDOC:资源共享 <br>
※ 来源:·UNIX编程 www.tiaozhan.com/unixbbs/·[FROM: 202.114.36.176] <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="537.htm">上一层</a>][<a href="549.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -