📄 439.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="317.htm">上一层</a>][<a href="440.htm">下一篇</a>]
<hr><p align="left"><small>发信人: dexi (破华胜->去死吧), 信区: Socket <br>
标 题: [转载] sniffer程序的详细解释【英文】 <br>
发信站: 华南网木棉站 (Sun Jul 9 23:56:04 2000), 站内信件 <br>
【 以下文字转载自 Hacker 讨论区 】 <br>
【 原文由 superoscar 所发表 】 <br>
Basic Packet-Sniffer Construction <br>
from the Ground Up <br>
Part 1 <br>
by <br>
Chad Renfro <br>
raw_sock@hotmail.com <br>
Packet sniffers are applications used by network administrators to <br>
monitor and <br>
validate network traffic. Sniffers are programs used to read packets <br>
that travel across <br>
the network at various levels of the OSI layer. And like most security <br>
tools sniffers too <br>
can be used for both good and destructive purposes. On the light-side of <br>
network <br>
administration sniffers help quickly track down problems such as <br>
bottlenecks and <br>
misplaced filters. However on the dark-side sniffers can be used to reap <br>
tremendous <br>
tremendous <br>
amounts of havoc by gathering legitimate user names and passwords so <br>
that other <br>
machines can be quickly compromised. Hopefully this paper will be used <br>
to help <br>
administrators gain control of their networks by being able to analyze <br>
network traffic <br>
not only by using preconstructed sniffers but by being able to create <br>
their own. This <br>
paper will look at the packet sniffer from the bottem up, looking in <br>
depth at the sniffer <br>
core and then gradualy adding functionality to the application. The <br>
example included <br>
here will help illustrate some rather cumbersome issues when dealing <br>
with network <br>
programing. In no way will this single paper teach a person to write a <br>
complete sniffing <br>
application like tcpdump or sniffit. It will however teach some very <br>
fundamental issues <br>
that are inherent to all packet sniffers. Like how the packets are <br>
accessed on the network <br>
and how to work with the packets at different layers. <br>
The most basic sniffer... <br>
Sniffer #1. <br>
This sniffer will illustrate the use of the SOCK_RAW device and show <br>
how to gather <br>
packets from the network and print out some simple header information <br>
to std_out. <br>
Although the basic premise is that packet sniffers operate in a <br>
promiscuous mode which <br>
listens to all packets weather or not the packet is destined for the <br>
machines mac address, <br>
this example will collect packets in a non-promiscuous mode . This <br>
will let usconcentrate <br>
on the SOCK_RAW device for the first example. To operate this same code <br>
in a <br>
promiscous mode the network card may be put in a promiscous mode <br>
manually. To do <br>
this type this in after the log in : <br>
> su - <br>
Password : ******** <br>
# ifconfig eth0 promisc <br>
This will now set the network interface eth0 in promiscous mode. <br>
/************************simple_Tcp_sniff.c********************/ <br>
1. #include <stdio.h> <br>
2. #include <sys/socket.h> <br>
3. #include <netinet/in.h> <br>
4. #include <arpa/inet.h> <br>
5. #include "headers.h" <br>
6. int main() <br>
7. { <br>
8. int sock, bytes_recieved, fromlen; <br>
9. char buffer[65535]; <br>
10. struct sockaddr_in from; <br>
11. struct ip *ip; <br>
12. struct tcp *tcp; <br>
13. <br>
14. sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); <br>
15. while(1) <br>
16. { <br>
17. fromlen = sizeof from; <br>
18. bytes_recieved = recvfrom(sock, buffer, sizeof buffer, 0, <br>
(struct sockaddr *)&from, <br>
&fromlen); <br>
19. printf("\nBytes received ::: %5d\n",bytes_recieved); <br>
20. printf("Source address ::: %s\n",inet_ntoa(from.sin_addr)); <br>
21. ip = (struct ip *)buffer; <br>
22. printf("IP header length ::: %d\n",ip->ip_length); <br>
23. printf("Protocol ::: %d\n",ip->ip_protocol); <br>
24. tcp = (struct tcp *)(buffer + (4*ip->ip_length)); <br>
25. printf("Source port ::: %d\n",ntohs(tcp->tcp_source_port); <br>
26. printf("Dest port ::: %d\n",ntohs(tcp->tcp_dest_port)); <br>
27. } <br>
28. } <br>
/***********************EOF**********************************/ <br>
What this means : <br>
Line 1-4 : <br>
These are the header files required to use some needed c functions we <br>
will use later <br>
<stdio.h> = functions like printf and std_out <br>
<sys/socket.h> = this will give access to the SOCK_RAW and the <br>
IPPROTO_TCP defines <br>
<netinet/in.h> = structs like the sockaddr_in <br>
<arpa/inet.h> = lets us use the functions to do network to host <br>
<br>
byte <br>
order conversions <br>
line 5 : <br>
This is the header file headers.h that is also included with this <br>
program to give standard <br>
structures to access the ip and tcp fields. The structures identify <br>
each field in the ip and <br>
tcp header for instance : <br>
struct ip { <br>
unsigned int ip_length:4; /* length of <br>
ip-header in 32-bit <br>
words*/ <br>
unsigned int ip_version:4; /* set to "4", for <br>
Ipv4 */ <br>
unsigned char ip_tos; /* type of service*/ <br>
<br>
unsigned short ip_total_length; /* Total length of i <br>
p <br>
datagram in <br>
bytes */ <br>
unsigned short ip_id; /*identification <br>
field*/ <br>
unsigned short ip_flags; <br>
unsigned char ip_ttl; /*time-to-live, sets <br>
<br>
upper limit <br>
upper limit <br>
for max number <br>
of routers to <br>
go through <br>
before the packet is <br>
discarded*/ <br>
unsigned char ip_protocol; /*identifies the <br>
correct transport <br>
protocol */ <br>
unsigned short ip_cksum; /*calculated for the <br>
ip <br>
header ONLY*/ <br>
unsigned int ip_source; /*source ip */ <br>
unsigned int ip_dest; /*dest ip*/ <br>
}; <br>
struct tcp { <br>
unsigned short tcp_source_port; /*tcp source <br>
port*/ <br>
unsigned short tcp_dest_port; /*tcp dest port*/ <br>
unsigned int tcp_seqno; /*tcp sequence number, <br>
identifies the <br>
byte in the <br>
stream of <br>
data*/ <br>
unsigned int tcp_ackno; /*contains the next seq <br>
<br>
num that <br>
the sender <br>
expects to recieve*/ <br>
unsigned int tcp_res1:4, /*little-endian*/ <br>
tcp_hlen:4, /*length of tcp <br>
header in 32-bit <br>
words*/ <br>
tcp_fin:1, /*Finish flag "fin"*/ <br>
tcp_syn:1, /*Synchronize <br>
sequence <br>
numbers to <br>
start a connection <br>
tcp_rst:1, /*Reset flag */ <br>
tcp_psh:1, /*Push, sends <br>
data to the <br>
application*/ <br>
tcp_ack:1, /*acknowledge*/ <br>
tcp_urg:1, /*urgent <br>
pointer*/ <br>
pointer*/ <br>
tcp_res2:2; <br>
unsigned short tcp_winsize; /*maxinum number of <br>
bytes able <br>
to recieve*/ <br>
unsigned short tcp_cksum; /*checksum to cover the <br>
<br>
tcp <br>
header and data <br>
portion of the <br>
packet*/ <br>
unsigned short tcp_urgent; /*vaild only if the <br>
urgent flag is <br>
set, used to transmit <br>
emergency data <br>
*/ <br>
}; <br>
line 8-13 : <br>
This is the variable declaration section <br>
integers : <br>
sock = socket file descriptor <br>
bytes_recieved = bytes read from the open socket "sock" <br>
fromlen = the size of the from structure char : <br>
buffer = where the ip packet that is read off <br>
the <br>
wire will be held buffer will hold a dat <br>
agra <br>
of 65535 bytes which is the maximum leng <br>
th <br>
of an ip datagram. <br>
Struct sockaddr_in : <br>
struct sockaddr_in { <br>
short int sin_family; /* Address family */ <br>
unsigned short int sin_port; /* Port number */ <br>
struct in_addr sin_addr; /* Internet address */ <br>
unsigned char sin_zero[8]; /* Same size as struct socka <br>
ddr <br>
/ <br>
}; <br>
Before we go any further two topics should be covered, <br>
byte-ordering and sockaddr <br>
structures. Byte-ordering,is the way that the operating system <br>
stores bytes in memory. <br>
There are two ways that this is done first with the low-order byte at <br>
the starting address <br>
this is known as "little-endian" or host-byte order. Next bytes can <br>
be stored with the <br>
high order byte at the starting address, this is called <br>
"big-endian" or network byte order. <br>
The Internet protocol uses >>>>>> network byte order. <br>
This is important because if you are working on an intel based <br>
linux box you will be <br>
programming on a little-endian machine and to send data via ip you <br>
must convert the <br>
bytes to network-byte order. For examle lets say we are going to <br>
store a 2-byte number <br>
in memory say the value is (in hex) 0x0203 <br>
First this is how the value is stored on a big-endian machine: <br>
___________ <br>
| 02 | 03 | <br>
|_____|_____| <br>
address: 0 1 <br>
And here is the same value on a little-endian machine: <br>
___________ <br>
|03 | 02 | <br>
|_____|_____| <br>
address: 1 0 <br>
The same value is being represented in both examples it is just how <br>
we order the bytes <br>
that changes. <br>
The next topic that you must understand is the sockaddr vs. the <br>
sockaddr_in structures. <br>
The struct sockaddr is used to hold information about the socket such <br>
as the family type <br>
and other address information it looks like : <br>
struct sockaddr { <br>
unsigned short sa_family; /*address family*/ <br>
char sa_data[14]; /*address data*/ <br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -