📄 packet32.c
字号:
\return On succeess, the return value is the pointer to a _PACKET structure otherwise the
return value is NULL.
The structure returned will be passed to the PacketReceivePacket() function to receive the
packets from the driver.
\warning The Buffer field of the _PACKET structure is not set by this function.
The buffer \b must be allocated by the application, and associated to the PACKET structure
with a call to PacketInitPacket.
*/
LPPACKET PacketAllocatePacket(void)
{
LPPACKET lpPacket;
lpPacket = (LPPACKET)GlobalAllocPtr(GMEM_MOVEABLE | GMEM_ZEROINIT,sizeof(PACKET));
if (lpPacket == NULL) {
ODS("PacketAllocatePacket: GlobalAlloc Failed\n");
return NULL;
}
return lpPacket;
}
/*!
\brief Frees a _PACKET structure.
\param lpPacket The structure to free.
\warning the user-allocated buffer associated with the _PACKET structure is not deallocated
by this function and \b must be explicitly deallocated by the programmer.
*/
VOID PacketFreePacket(LPPACKET lpPacket)
{
GlobalFreePtr(lpPacket);
}
/*!
\brief Initializes a _PACKET structure.
\param lpPacket The structure to initialize.
\param Buffer A pointer to a user-allocated buffer that will contain the captured data.
\param Length the length of the buffer. This is the maximum buffer size that will be
transferred from the driver to the application using a single read.
\note the size of the buffer associated with the PACKET structure is a parameter that can sensibly
influence the performance of the capture process, since this buffer will contain the packets received
from the the driver. The driver is able to return several packets using a single read call
(see the PacketReceivePacket() function for details), and the number of packets transferable to the
application in a call is limited only by the size of the buffer associated with the PACKET structure
passed to PacketReceivePacket(). Therefore setting a big buffer with PacketInitPacket can noticeably
decrease the number of system calls, reducing the impcat of the capture process on the processor.
*/
VOID PacketInitPacket(LPPACKET lpPacket,PVOID Buffer,UINT Length)
{
lpPacket->Buffer = Buffer;
lpPacket->Length = Length;
lpPacket->ulBytesReceived = 0;
lpPacket->bIoComplete = FALSE;
}
/*!
\brief Read data (packets or statistics) from the NPF driver.
\param AdapterObject Pointer to an _ADAPTER structure identifying the network adapter from which
the data is received.
\param lpPacket Pointer to a PACKET structure that will contain the data.
\param Sync This parameter is deprecated and will be ignored. It is present for compatibility with
older applications.
\return If the function succeeds, the return value is nonzero.
The data received with this function can be a group of packets or a static on the network traffic,
depending on the working mode of the driver. The working mode can be set with the PacketSetMode()
function. Give a look at that function if you are interested in the format used to return statistics
values, here only the normal capture mode will be described.
The number of packets received with this function is variable. It depends on the number of packets
currently stored in the driver抯 buffer, on the size of these packets and on the size of the buffer
associated to the lpPacket parameter. The following figure shows the format used by the driver to pass
packets to the application.
\image html encoding.gif "method used to encode the packets"
Packets are stored in the buffer associated with the lpPacket _PACKET structure. The Length field of
that structure is updated with the amount of data copied in the buffer. Each packet has a header
consisting in a bpf_hdr structure that defines its length and contains its timestamp. A padding field
is used to word-align the data in the buffer (to speed up the access to the packets). The bh_datalen
and bh_hdrlen fields of the bpf_hdr structures should be used to extract the packets from the buffer.
Examples can be seen either in the TestApp sample application (see the \ref packetsamps page) provided
in the developer's pack, or in the pcap_read() function of wpcap.
*/
BOOLEAN PacketReceivePacket(LPADAPTER AdapterObject,LPPACKET lpPacket,BOOLEAN Sync)
{
BOOLEAN res;
if ((int)AdapterObject->ReadTimeOut != -1)
WaitForSingleObject(AdapterObject->ReadEvent, (AdapterObject->ReadTimeOut==0)?INFINITE:AdapterObject->ReadTimeOut);
res = ReadFile(AdapterObject->hFile, lpPacket->Buffer, lpPacket->Length, &lpPacket->ulBytesReceived,NULL);
return res;
}
/*!
\brief Sends one (or more) copies of a packet to the network.
\param AdapterObject Pointer to an _ADAPTER structure identifying the network adapter that will
send the packets.
\param lpPacket Pointer to a PACKET structure with the packet to send.
\param Sync This parameter is deprecated and will be ignored. It is present for compatibility with
older applications.
\return If the function succeeds, the return value is nonzero.
This function is used to send a raw packet to the network. 'Raw packet' means that the programmer
will have to include the protocol headers, since the packet is sent to the network 'as is'.
The CRC needs not to be calculated and put at the end of the packet, because it will be transparently
added by the network interface.
The behavior of this function is influenced by the PacketSetNumWrites() function. With PacketSetNumWrites(),
it is possible to change the number of times a single write must be repeated. The default is 1,
i.e. every call to PacketSendPacket() will correspond to one packet sent to the network. If this number is
greater than 1, for example 1000, every raw packet written by the application will be sent 1000 times on
the network. This feature mitigates the overhead of the context switches and therefore can be used to generate
high speed traffic. It is particularly useful for tools that test networks, routers, and servers and need
to obtain high network loads.
The optimized sending process is still limited to one packet at a time: for the moment it cannot be used
to send a buffer with multiple packets.
\note The ability to write multiple packets is currently present only in the Windows NTx version of the
packet driver. In Windows 95/98/ME it is emulated at user level in packet.dll. This means that an application
that uses the multiple write method will run in Windows 9x as well, but its performance will be very low
compared to the one of WindowsNTx.
*/
BOOLEAN PacketSendPacket(LPADAPTER AdapterObject,LPPACKET lpPacket,BOOLEAN Sync)
{
DWORD BytesTransfered;
return WriteFile(AdapterObject->hFile,lpPacket->Buffer,lpPacket->Length,&BytesTransfered,NULL);
}
/*!
\brief Sends a buffer of packets to the network.
\param AdapterObject Pointer to an _ADAPTER structure identifying the network adapter that will
send the packets.
\param PacketBuff Pointer to buffer with the packets to send.
\param Size Size of the buffer pointed by the PacketBuff argument.
\param Sync if TRUE, the packets are sent respecting the timestamps. If FALSE, the packets are sent as
fast as possible
\return The amount of bytes actually sent. If the return value is smaller than the Size parameter, an
error occurred during the send. The error can be caused by a driver/adapter problem or by an
inconsistent/bogus packet buffer.
This function is used to send a buffer of raw packets to the network. The buffer can contain an arbitrary
number of raw packets, each of which preceded by a dump_bpf_hdr structure. The dump_bpf_hdr is the same used
by WinPcap and libpcap to store the packets in a file, therefore sending a capture file is straightforward.
'Raw packets' means that the sending application will have to include the protocol headers, since every packet
is sent to the network 'as is'. The CRC of the packets needs not to be calculated, because it will be
transparently added by the network interface.
\note Using this function if more efficient than issuing a series of PacketSendPacket(), because the packets are
buffered in the kernel driver, so the number of context switches is reduced.
\note When Sync is set to TRUE, the packets are synchronized in the kerenl with a high precision timestamp.
This requires a remarkable amount of CPU, but allows to send the packets with a precision of some microseconds
(depending on the precision of the performance counter of the machine). Such a precision cannot be reached
sending the packets separately with PacketSendPacket().
*/
INT PacketSendPackets(LPADAPTER AdapterObject, PVOID PacketBuff, ULONG Size, BOOLEAN Sync)
{
BOOLEAN Res;
DWORD BytesTransfered, TotBytesTransfered=0;
struct timeval BufStartTime;
LARGE_INTEGER StartTicks, CurTicks, TargetTicks, TimeFreq;
ODS("PacketSendPackets");
// Obtain starting timestamp of the buffer
BufStartTime.tv_sec = ((struct timeval*)(PacketBuff))->tv_sec;
BufStartTime.tv_usec = ((struct timeval*)(PacketBuff))->tv_usec;
// Retrieve the reference time counters
QueryPerformanceCounter(&StartTicks);
QueryPerformanceFrequency(&TimeFreq);
CurTicks.QuadPart = StartTicks.QuadPart;
do{
// Send the data to the driver
Res = DeviceIoControl(AdapterObject->hFile,
(Sync)?pBIOCSENDPACKETSSYNC:pBIOCSENDPACKETSNOSYNC,
(PCHAR)PacketBuff + TotBytesTransfered,
Size - TotBytesTransfered,
NULL,
0,
&BytesTransfered,
NULL);
TotBytesTransfered += BytesTransfered;
// calculate the time interval to wait before sending the next packet
TargetTicks.QuadPart = StartTicks.QuadPart +
(LONGLONG)
((((struct timeval*)((PCHAR)PacketBuff + TotBytesTransfered))->tv_sec - BufStartTime.tv_sec) * 1000000 +
(((struct timeval*)((PCHAR)PacketBuff + TotBytesTransfered))->tv_usec - BufStartTime.tv_usec)) *
(TimeFreq.QuadPart) / 1000000;
// Exit from the loop on termination or error
if(TotBytesTransfered >= Size || Res != TRUE)
break;
// Wait until the time interval has elapsed
while( CurTicks.QuadPart <= TargetTicks.QuadPart )
QueryPerformanceCounter(&CurTicks);
}
while(TRUE);
return TotBytesTransfered;
}
/*!
\brief Defines the minimum amount of data that will be received in a read.
\param AdapterObject Pointer to an _ADAPTER structure
\param nbytes the minimum amount of data in the kernel buffer that will cause the driver to
release a read on this adapter.
\return If the function succeeds, the return value is nonzero.
In presence of a large value for nbytes, the kernel waits for the arrival of several packets before
copying the data to the user. This guarantees a low number of system calls, i.e. lower processor usage,
i.e. better performance, which is a good setting for applications like sniffers. Vice versa, a small value
means that the kernel will copy the packets as soon as the application is ready to receive them. This is
suggested for real time applications (like, for example, a bridge) that need the better responsiveness from
the kernel.
\b note: this function has effect only in Windows NTx. The driver for Windows 9x doesn't offer
this possibility, therefore PacketSetMinToCopy is implemented under these systems only for compatibility.
*/
BOOLEAN PacketSetMinToCopy(LPADAPTER AdapterObject,int nbytes)
{
DWORD BytesReturned;
return DeviceIoControl(AdapterObject->hFile,pBIOCSMINTOCOPY,&nbytes,4,NULL,0,&BytesReturned,NULL);
}
/*!
\brief Sets the working mode of an adapter.
\param AdapterObject Pointer to an _ADAPTER structure.
\param mode The new working mode of the adapter.
\return If the function succeeds, the return value is nonzero.
The device driver of WinPcap has 4 working modes:
- Capture mode (mode = PACKET_MODE_CAPT): normal capture mode. The packets transiting on the wire are copied
to the application when PacketReceivePacket() is called. This is the default working mode of an adapter.
- Statistical mode (mode = PACKET_MODE_STAT): programmable statistical mode. PacketReceivePacket() returns, at
precise intervals, statics values on the network traffic. The interval between the statistic samples is
by default 1 second but it can be set to any other value (with a 1 ms precision) with the
PacketSetReadTimeout() function. The data returned by PacketReceivePacket() when the adapter is in statistical
mode is shown in the following figure:<p>
\image html stats.gif "data structure returned by statistical mode"
Two 64-bit counters are provided: the number of packets and the amount of bytes that satisfy a filter
previously set with PacketSetBPF(). If no filter has been set, all the packets are counted. The counters are
encapsulated in a bpf_hdr structure, so that they will be parsed correctly by wpcap. Statistical mode has a
very low impact on system performance compared to capture mode.
- Dump mode (mode = PACKET_MODE_DUMP): the packets are dumped to disk by the driver, in libpcap format. This
method is much faster than saving the packets after having captured them. No data is returned
by PacketReceivePacket(). If the application sets a filter with PacketSetBPF(), only the packets that satisfy
this filter are dumped to disk.
- Statitical Dump mode (mode = PACKET_MODE_STAT_DUMP): the packets are dumped to disk by the driver, in libpcap
format, like in dump mode. PacketReceivePacket() returns, at precise intervals, statics values on the
network traffic and on the amount of data saved to file, in a way similar to statistical mode.
The data returned by PacketReceivePacket() when the adapter is in statistical dump mode is shown in
the following figure:<p>
\image html dump.gif "data structure returned by statistical dump mode"
Three 64-bit counters are provided: the number of packets accepted, the amount of bytes accepted and the
effective amount of data (including headers) dumped to file. If no filter has been set, all the packets are
dumped to disk. The counters are encapsulated in a bpf_hdr structure, so that they will be parsed correctly
by wpcap.
Look at the NetMeter example in the
WinPcap developer's pack to see how to use statistics mode.
*/
BOOLEAN PacketSetMode(LPADAPTER AdapterObject,int mode)
{
DWORD BytesReturned;
return DeviceIoControl(AdapterObject->hFile,pBIOCSMODE,&mode,4,NULL,0,&BytesReturned,NULL);
}
/*!
\brief Sets the name of the file that will receive the packet when the adapter is in dump mode.
\param AdapterObject Pointer to an _ADAPTER structure.
\param name the file name, in ASCII or UNICODE.
\param len the length of the buffer containing the name, in bytes.
\return If the function succeeds, the return value is nonzero.
This function defines the file name that the driver will open to store the packets on disk when
it works in dump mode. The adapter must be in dump mode, i.e. PacketSetMode() should have been
called previously with mode = PACKET_MODE_DUMP. otherwise this function will fail.
If PacketSetDumpName was already invoked on the adapter pointed by AdapterObject, the driver
closes the old file and opens the new one.
*/
BOOLEAN PacketSetDumpName(LPADAPTER AdapterObject, void *name, int len)
{
DWORD BytesReturned;
WCHAR *FileName;
BOOLEAN res;
WCHAR NameWithPath[1024];
int TStrLen;
WCHAR *NamePos;
if(((PUCHAR)name)[1]!=0 && len>1){ //ASCII
FileName=SChar2WChar(name);
len*=2;
}
else { //Unicode
FileName=name;
}
TStrLen=GetFullPathName(FileName,1024,NameWithPath,&NamePos);
len=TStrLen*2+2; //add the terminating null character
// Try to catch malformed strings
if(len>2048){
if(((PUCHAR)name)[1]!=0 && len>1) free(FileName);
return FALSE;
}
res = DeviceIoControl(AdapterObject->hFile,pBIOCSETDUMPFILENAME,NameWithPath,len,NULL,0,&BytesReturned,NULL);
free(FileName);
return res;
}
/*!
\brief Set the dump mode limits.
\param AdapterObject Pointer to an _ADAPTER structure.
\param maxfilesize The maximum dimension of the dump file, in bytes. 0 means no limit.
\param maxnpacks The maximum number of packets contained in the dump file. 0 means no limit.
\return If the function succeeds, the return value is nonzero.
This function sets the limits after which the NPF driver stops to save the packets to file when an adapter
is in dump mode. This allows to limit the dump file to a precise number of bytes or packets, avoiding that
very long dumps fill the disk space. If both maxfilesize and maxnpacks are set, the dump is stopped when
the first of the two is reached.
\note When a limit is reached, the dump is stopped, but the file remains opened. In order to flush
correctly the data and access the file consistently, you need to close the adapter with PacketCloseAdapter().
*/
BOOLEAN PacketSetDumpLimits(LPADAPTER AdapterObject, UINT maxfilesize, UINT maxnpacks)
{
DWORD BytesReturned;
UINT valbuff[2];
valbuff[0] = maxfilesize;
valbuff[1] = maxnpacks;
return DeviceIoControl(AdapterObject->hFile,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -