wpcap_tut6.txt

用来监视网络通信数据的源代码和应用程序,方便网络程序底层开发.

/** @ingroup wpcap_tut
 */

/** @defgroup wpcap_tut6 Interpreting the packets
 *  @{

Now that we are able to sniff and filter the traffic, we want to put our knowledge in practice with a first simple "real world" application. 

In this lesson we will take the code of the previous lessons and extend it to build a more useful program; the main purpose is to show how the content of a captured packet, and in particular its protocol headers can be parsed and interpreted. The resulting application, called UDPdump, will print on the screen a summary of the UDP traffic of our network.

We choose to display the UDP protocol because it's simpler than TCP, so it's more immediate from a didactic perspective. Let's give a look at the code.

\include UDPdump/udpdump.c

First of all, we set the filter "ip and udp". In this way we are sure that packet_handler() will receive only UDP packets over IPv4: this simplifies the parsing and increases the efficiency of the program.

We have also created a couple of structs that describe the IP and UDP headers. These structs are used by packet_handler() to properly locate the various header fields. 

packet_handler(), although limited to a single protocol dissector (UDP over IPv4), shows how complex sniffers like tcpdump/WinDump decode the network traffic. First of all, since we aren't interested in the MAC header, we skip it. For simplicity, before starting the capture we made a check on the MAC layer with pcap_datalink(), so that UDPdump will work only on Ethernet networks. In this way we are sure that the MAC header is exactly 14 bytes.

The IP header is located just after the MAC one. We extract from it the source and destination addresses.

Reaching the UDP header is a bit more complex, because the IP header hasn't a fixed length. Therefore, we use the internet header length field to know its dimension. Once we know the location of the UDP header, we extract the source and destination ports.

The extracted values are printed on the screen, and the result is something like:

<tt>
1. \Device\Packet_{A7FD048A-5D4B-478E-B3C1-34401AC3B72F} (Xircom
t 10/100 Adapter) \n
Enter the interface number (1-2):1\n

listening on Xircom CardBus Ethernet 10/100 Adapter... \n
16:13:15.312784 len:87 130.192.31.67.2682 -> 130.192.3.21.53 \n
16:13:15.314796 len:137 130.192.3.21.53 -> 130.192.31.67.2682 \n
16:13:15.322101 len:78 130.192.31.67.2683 -> 130.192.3.21.53 \n
</tt>

In which every line represents a different packet.

\ref wpcap_tut5 "<<< Previous" \ref wpcap_tut7 "Next >>>"

@}*/