📄 pck_filter.cpp
字号:
struct bpf_program fcode;
data_link_header* dh;
ip_header* ih;
udp_header* uh;
tcp_header* th;
u_int ip_len;
u_short sport, dport;
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t* fp;
if((fp = pcap_open_offline(m_pck_file,errbuf)) == NULL)
{
MessageBox("所选的数据包文件不正确!");
return;
}
/* complie the filter */
if (pcap_compile(fp, &fcode, packet_filter, 1, 0xffffffff) < 0)
{
fprintf(stderr, "\nUnable to compile the packet filter. Check the syntax.\n");
}
/* set the filter */
if (pcap_setfilter(fp, &fcode) < 0)
{
fprintf(stderr, "\nError setting the filter.\n");
}
/* Start the capture */
while ((res = pcap_next_ex(fp, &header, &pkt_data)) >= 0)
{
if (res == 0)
{
continue; //Timeout elapsed
}
/* convert the timestamp to readable format */
ltime = localtime(&header->ts.tv_sec);
//strftime(timestr, sizeof(timestr), "%Y-%m-%d %H:%M:%S.", ltime);
//sprintf(timestr1,"%.6d",header->ts.tv_usec);
//strcat(timestr,timestr1);
strftime(timestr, sizeof(timestr), "%Y-%m-%d %H:%M:%S", ltime);
/*retrieve the position of the mac header*/
dh = (data_link_header*)pkt_data;
switch(ntohs(dh->type))
{
case 0x0800: //analysis of IP
/* retrieve the position of the ip header */
ih = (ip_header*)(pkt_data + 14); /* length of ethernet header */
ip_len = (ih->ver_ihl & 0xf) * 4;
switch(ih->proto)
{
/* retrieve the position of the udp header */
case 6: //analysis of UDP
th = (tcp_header*)((u_char*)ih + ip_len);
/* convert from network byte order to host byte order */
sport = ntohs(th->sport);
dport = ntohs(th->dport);
switch(dport)
{
case 21: sprintf(protocol,"%s", "FTP");break;
case 23: sprintf(protocol,"%s", "TELNET");break;
case 25: sprintf(protocol,"%s", "SMTP");break;
case 8080: sprintf(protocol,"%s", "HTTP");break;
default: sprintf(protocol,"%s", "TCP");break;
}
break;
/* retrieve the position of the tcp header */
case 17: //analysis of TCP
uh = (udp_header*)((u_char*)ih + ip_len);
/* convert from network byte order to host byte order */
sport = ntohs(uh->sport);
dport = ntohs(uh->dport);
switch(dport)
{
case 53: sprintf(protocol, "%s", "DNS");break;
case 69: sprintf(protocol, "%s", "TFTP");break;
case 161: sprintf(protocol, "%s", "SNMP");break;
case 162: sprintf(protocol, "%s", "SNMP(trap)");break;
default: sprintf(protocol, "%s", "UDP");break;
}
break;
}
sprintf(srcIP,"%d.%d.%d.%d",ih->saddr.byte1,ih->saddr.byte2,ih->saddr.byte3,ih->saddr.byte4);
sprintf(dstIP,"%d.%d.%d.%d",ih->daddr.byte1,ih->daddr.byte2,ih->daddr.byte3,ih->daddr.byte4);
strSQL.Format("insert into file_pck(f_proto,f_src_ip,f_dst_ip,f_src_port,f_dst_port,f_len,f_b_time,f_bz) values('%s','%s','%s','%d','%d','%d','%s',0)",
protocol,srcIP,dstIP,sport,dport,header->len,timestr);
file_pck.m_db.ExecuteSQL(strSQL);
break;
/* case 0x0806: //analysis of ARP
arpp = (arp_proto*)(pkt_data + 14);
switch(ntohs(arpp->opcode))
{
case 0x0001:sprintf(protocol,"%s","ARP request");break;
case 0x0002:sprintf(protocol,"%s","ARP reply");break;
case 0x0003:sprintf(protocol,"%s","RARP request");break;
case 0x0004:sprintf(protocol,"%s","RARP reply");break;
}
sprintf(srcIP,"%d.%d.%d.%d",arpp->send_ip_addr.byte1,arpp->send_ip_addr.byte2,arpp->send_ip_addr.byte3,arpp->send_ip_addr.byte4);
sprintf(dstIP,"%d.%d.%d.%d",arpp->target_ip_addr.byte1,arpp->target_ip_addr.byte2,arpp->target_ip_addr.byte3,arpp->target_ip_addr.byte4);
break;
case 0x8035: //analysis of RARP
arpp = (arp_proto*)(pkt_data + 14);
switch(ntohs(arpp->opcode))
{
case 0x0001:sprintf(protocol,"%s","ARP request");break;
case 0x0002:sprintf(protocol,"%s","ARP reply");break;
case 0x0003:sprintf(protocol,"%s","RARP request");break;
case 0x0004:sprintf(protocol,"%s","RARP reply");break;
}
sprintf(srcIP,"%d.%d.%d.%d",arpp->send_ip_addr.byte1,arpp->send_ip_addr.byte2,arpp->send_ip_addr.byte3,arpp->send_ip_addr.byte4);
sprintf(dstIP,"%d.%d.%d.%d",arpp->target_ip_addr.byte1,arpp->target_ip_addr.byte2,arpp->target_ip_addr.byte3,arpp->target_ip_addr.byte4);
break;*/
default:printf("failed");break;
}
}
file_pck.m_db.Close();
if (res == -1)
{
printf("Error reading the packets: %s\n", pcap_geterr(fp));
return;
}
}
void pck_filter::filter()
{
database_show file_pck;
file_pck.DBConnect();
CString str = "update file_pck set f_bz = 1 where f_bz = 0";
if(strSQL[0] != "")
{
str += " and (" + strSQL[0];
int i = 1;
while(strSQL[i] != "")
{
str += " or " + strSQL[i];
i++;
}
str += ")";
}
MessageBox(str);
file_pck.m_db.ExecuteSQL(str);
file_pck.m_db.Close();
}
void pck_filter::TimeCount() //计算通信时间
{
// TODO: Add your command handler code here
database_show t_count;
t_count.DBConnect();
CDBVariant varValue;
CString f_src_ip;
CString f_dst_ip;
CString day;
CRecordset rs_all(&t_count.m_db);
CRecordset rs_part(&t_count.m_db);
CTimeSpan ts;
CString strSQL;
CString b_time;
while(1)
{
rs_all.Open(CRecordset::dynaset,"select * from file_pck where f_bz = '1'");
if(rs_all.GetRecordCount()!=0)
{
rs_all.MoveFirst();
rs_all.GetFieldValue(1,varValue);
f_src_ip = varValue.m_pstring->GetBuffer(1);
rs_all.GetFieldValue(2,varValue);
f_dst_ip = varValue.m_pstring->GetBuffer(1);
rs_all.Close();
rs_part.Open(CRecordset::dynaset,"select * from file_pck where f_src_ip = '" + f_src_ip + "' and f_dst_ip = '" +f_dst_ip +"' order by f_b_time desc");
//creat a new LinkList
struct LNode *L = new LNode;
L->next = NULL;
rs_part.MoveFirst();
//save the packages to the LinkList
while(!rs_part.IsEOF())
{
struct LNode *p = new LNode;
rs_part.GetFieldValue(1,varValue);
p->f_src_ip = varValue.m_pstring->GetBuffer(1);
//MessageBox(p->f_src_ip);
rs_part.GetFieldValue(2,varValue);
p->f_dst_ip = varValue.m_pstring->GetBuffer(1);
//MessageBox(p->f_dst_ip);
rs_part.GetFieldValue(6,varValue);
p->tm = CTime(varValue.m_pdate->year,varValue.m_pdate->month,varValue.m_pdate->day,
varValue.m_pdate->hour,varValue.m_pdate->minute,varValue.m_pdate->second);
p->next = L->next;
L->next = p;
rs_part.MoveNext();
}
//MessageBox("success");
rs_part.Close();
//count how long a communication continues
CString b_time;
while(L->next != NULL)
{
struct LNode *q = L->next;
struct LNode *r = L->next;
while(r->next != NULL)
{
ts = r->next->tm - r->tm;
if(ts.GetTotalSeconds() > 180)//相邻数据包的时间差超过timeout(3min)
break;
else
r = r->next;
}
//计算时间差
ts = r->tm - q->tm;
b_time = q->tm.Format("%Y-%m-%d %H:%M:%S");
//MessageBox(b_time);
//将相关的数据写入src_pck表中
strSQL.Format("insert into src_pck(src_ip,dst_ip,b_time,l_time) values('%s','%s','%s','%d')",q->f_src_ip,q->f_dst_ip,b_time,ts.GetTotalSeconds());
t_count.m_db.ExecuteSQL(strSQL);
//delete the datas having been dealed
strSQL.Format("delete from file_pck where f_src_ip = '" + f_src_ip + "' and f_dst_ip = '" + f_dst_ip + "'");
t_count.m_db.ExecuteSQL(strSQL);
//free the nodes
L->next = r->next;
if(q != r)
{
while(q->next != r)
{
struct LNode *M = q->next;
q->next = q->next->next;
delete M;
}
delete q;
delete r;
}
else
{
delete q;
}
}
delete L;
}
else
{
MessageBox("finished");
break;
}
}
t_count.m_db.Close();
}
BOOL pck_filter::OnInitDialog()
{
CDialog::OnInitDialog();
// TODO: Add extra initialization here
/*CDC *pDC;
UINT position = 10;
int m=370,n=500;
for(int x=0;x<28;x++)
{
CPen pen;
pen.CreatePen(PS_DASH,x*1.2,RGB(245,120,225));
CPen *oldPen = pDC->SelectObject(&pen);
position += x*2+5;
pDC->MoveTo(m,position);
pDC->LineTo(n,position);
pDC->SelectObject(oldPen);
m=m-20;
n=n-20;
}*/
return TRUE; // return TRUE unless you set the focus to a control
// EXCEPTION: OCX Property Pages should return FALSE
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -