⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站

📄 548.htm

📁 unix高级编程原吗
💻 HTM
📖 第 1 页 / 共 3 页
字号:
                     For example, `ether[0] & 1 != 0' catches all multicast traf <br>

?                     fic.  The expression `ip[0] & 0xf != 5' catches all IP pac <br>

k?                     ets  with  options.  The  expression  `ip[6:2] & 0x1fff = <br>

 0' <br>

                     catches only unfragmented datagrams and frag zero  of  frag <br>

?                     mented  datagrams.   This check is implicitly applied to t <br>

he <br>

                     tcp and udp index operations.  For instance,  tcp[0]  alway <br>

s <br>

                     means  the first byte of the TCP header, and never means th <br>



e <br>

                     first byte of an intervening fragment. <br>

  <br>

   Primitives may be combined using: <br>

  <br>

                     A parenthesized group of primitives and operators (parenthe <br>

?                     ses are special to the Shell and must be escaped). <br>

  <br>

                     Negation (`!' or `not'). <br>

  <br>

                     Concatenation (`&&' or `and'). <br>

  <br>

                     Alternation (`||' or `or'). <br>

  <br>

              Negation  has  highest  precedence.   Alternation and concatenatio <br>

n <br>

              have equal precedence and  associate  left  to  right.   Note  tha <br>

t <br>

              explicit  and  tokens, not juxtaposition, are now required for con <br>

?              catenation. <br>

  <br>

              If an identifier is given without a keyword, the most  recent  key <br>



?              word is assumed.  For example, <br>

                   not host vs and ace <br>

              is short for <br>

                   not host vs and host ace <br>

              which should not be confused with <br>

                   not ( host vs or ace ) <br>

  <br>

              Expression  arguments  can  be passed to tcpdump as either a singl <br>

e <br>

              argument or as multiple arguments, whichever  is  more  convenient <br>

. <br>

              Generally,  if  the expression contains Shell metacharacters, it i <br>

s <br>

              easier to pass it as a single, quoted argument.  Multiple argument <br>

s <br>

              are concatenated with spaces before being parsed. <br>

  <br>

EXAMPLES <br>

       To print all packets arriving at or departing from sundown: <br>

              tcpdump host sundown <br>

  <br>

       To print traffic between helios and either hot or ace: <br>



              tcpdump host helios and \( hot or ace \) <br>

  <br>

       To print all IP packets between ace and any host except helios: <br>

              tcpdump ip host ace and not helios <br>

  <br>

       To print all traffic between local hosts and hosts at Berkeley: <br>

              tcpdump net ucb-ether <br>

  <br>

       To  print  all  ftp  traffic through internet gateway snup: (note that th <br>

e <br>

       expression is quoted to prevent  the  shell  from  (mis-)interpreting  th <br>

e <br>

       parentheses): <br>

              tcpdump 'gateway snup and (port ftp or ftp-data)' <br>

  <br>

       To print traffic neither sourced from nor destined for local hosts (if yo <br>

u <br>

       gateway to one other net, this stuff should never make it onto your  loca <br>

l <br>

       net). <br>

              tcpdump ip and not net localnet <br>

  <br>

  <br>

       To  print  the start and end packets (the SYN and FIN packets) of each TC <br>

P <br>

       conversation that involves a non-local host. <br>

              tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet' <br>

  <br>

       To print IP packets longer than 576 bytes sent through gateway snup: <br>

              tcpdump 'gateway snup and ip[2:2] > 576' <br>

  <br>

       To print IP broadcast or multicast packets that were not sent via etherne <br>

t <br>

       broadcast or multicast: <br>

              tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' <br>

  <br>

       To  print  all  ICMP packets that are not echo requests/replies (i.e., no <br>

t <br>

       ping packets): <br>

              tcpdump 'icmp[0] != 8 and icmp[0] != 0" <br>

  <br>

  <br>

Ok, so that is a lot of info (and probably more than we need) but it gives us a <br>

starting point. So lets give this a shot... on my network I have a linux box and <br>

 a windoze machine connected to a non switched hub. Therefore, if I place my eth <br>



ernet card <br>

in promiscuous mode on my linux machine I should be able to see all traffic goin <br>

g to (and coming from) my windows machine. So lets see if the examples from the <br>

man page will work if directly fed to pcap_compile.. <br>

  <br>

Consider the following program... (download here) <br>

/********************************************************************** <br>

* file:   testpcap3.c <br>

* date:   Sat Apr 07 23:23:02 PDT 2001 <br>

* Author: Martin Casado <br>

* Last Modified:2001-Apr-07 11:23:05 PM <br>

* <br>

* Investigate using filter programs with pcap_compile() and <br>

* pcap_setfilter() <br>

* <br>

**********************************************************************/ <br>

  <br>

#include <pcap.h> <br>

#include <stdio.h> <br>

#include <stdlib.h> <br>

#include <errno.h> <br>

#include <sys/socket.h> <br>



#include <netinet/in.h> <br>

#include <arpa/inet.h> <br>

#include <netinet/if_ether.h> <br>

  <br>

/* just print a count every time we have a packet...                        */ <br>

void my_callback(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char* <br>

        packet) <br>

{ <br>

    static int count = 1; <br>

    fprintf(stdout,"%d, ",count); <br>

    fflush(stdout); <br>

    count++; <br>

} <br>

  <br>

int main(int argc,char **argv) <br>

{ <br>

    int i; <br>

    char *dev; <br>

    char errbuf[PCAP_ERRBUF_SIZE]; <br>

    pcap_t* descr; <br>

    const u_char *packet; <br>

    struct pcap_pkthdr hdr;     /* pcap.h                    */ <br>



    struct ether_header *eptr;  /* net/ethernet.h            */ <br>

    struct bpf_program fp;      /* hold compiled program     */ <br>

    bpf_u_int32 maskp;          /* subnet mask               */ <br>

    bpf_u_int32 netp;           /* ip                        */ <br>

  <br>

  <br>

    if(argc != 2){ fprintf(stdout,"Usage: %s \"filter program\"\n" <br>

            ,argv[0]);return 0;} <br>

  <br>

    /* grab a device to peak into... */ <br>

    dev = pcap_lookupdev(errbuf); <br>

    if(dev == NULL) <br>

    { fprintf(stderr,"%s\n",errbuf); exit(1); } <br>

  <br>

    /* ask pcap for the network address and mask of the device */ <br>

    pcap_lookupnet(dev,&netp,&maskp,errbuf); <br>

  <br>

    /* open device for reading this time lets set it in promiscuous <br>

     * mode so we can monitor traffic to another machine             */ <br>

    descr = pcap_open_live(dev,BUFSIZ,1,-1,errbuf); <br>

    if(descr == NULL) <br>

    { printf("pcap_open_live(): %s\n",errbuf); exit(1); } <br>



  <br>

    /* Lets try and compile the program.. non-optimized */ <br>

    if(pcap_compile(descr,&fp,argv[1],0,netp) == -1) <br>

    { fprintf(stderr,"Error calling pcap_compile\n"); exit(1); } <br>

  <br>

    /* set the compiled program as the filter */ <br>

    if(pcap_setfilter(descr,&fp) == -1) <br>

    { fprintf(stderr,"Error setting filter\n"); exit(1); } <br>

  <br>

    /* ... and loop */ <br>

    pcap_loop(descr,-1,my_callback,NULL); <br>

  <br>

    return 0; <br>

} <br>

  <br>

So, this program accepts a string from the user, (similar to tcpdump) compiles i <br>

t and sets it as a filter. Lets go ahead and try it with an example similar to t <br>

he one in the tcpdump examples.. <br>

  <br>

[root@localhost libpcap]# gcc testpcap3.c -lpcap <br>

[root@localhost libpcap]# ./a.out "host www.google.com" <br>

(** try and ping www.slashdot.org ... nothing **) <br>



(** try and ping www.google.com **) <br>

1, 2, 3, 4, 5, 6, <br>

(** hurray! **) <br>

  <br>

It looks like our filter program worked!!! Lets try to see if we can capture pac <br>

kets from a different machine on the same network.... how about my windows machi <br>

ne when it connects to battle.net.. <br>

  <br>

[root@localhost libpcap]# ./a.out "src 192.168.1.104" <br>

1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 2 <br>

3, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, <br>

  <br>

Yes yes!!! we are getting very close to actually having some power, but first we <br>

 need to find out how to look inside the packets and pull out information. At la <br>

st! the next section will delve into disecting packets so we can really analyze <br>

what is <br>

going on in our networks!! <br>

-------------------------------------------------------------------------------- <br>

  <br>

[prev] [socket home ] [next] <br>

-- <br>

telnet apue.dhs.org 2323 or http://apue.dhs.org <br>



APUE:UNIX环境编程 <br>

UNP:UNIX网络编程 <br>

UKP:UNIX内核编程 <br>

BIBLE:高手传经 <br>

FTPDOC:资源共享 <br>

※ 来源:·UNIX编程 www.tiaozhan.com/unixbbs/·[FROM: 202.114.36.176] <br>

</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="537.htm">上一层</a>][<a href="549.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -