📄 group__wpcap__tut9.html
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1"><title>WinPcap: Gathering Statistics on the network traffic</title><link href="style.css" rel="stylesheet" type="text/css"><link href="tabs.css" rel="stylesheet" type="text/css"></head><body><!-- Generated by Doxygen 1.5.1 --><div class="tabs"> <ul> <li><a href="main.html"><span>Main Page</span></a></li> <li><a href="modules.html"><span>Modules</span></a></li> <li><a href="annotated.html"><span>Data Structures</span></a></li> <li><a href="files.html"><span>Files</span></a></li> <li><a href="pages.html"><span>Related Pages</span></a></li> </ul></div><h1>Gathering Statistics on the network traffic</h1><table border="0" cellpadding="0" cellspacing="0"><tr><td></td></tr></table>This lesson shows another advanced feature of WinPcap: the ability to collect statistics about network traffic. The statistical engine makes use of the kernel-level packet filter to efficiently classify the incoming packet. You can take a look at the <a class="el" href="group__NPF.html">NPF driver internals manual</a> if you want to know more details.<p>In order to use this feature, the programmer must open an adapter and put it in <em>statistical</em> <em>mode</em>. This can be done with <a class="el" href="group__wpcapfunc.html#gef07ef49d3c75644f3fd34518e2fe720">pcap_setmode()</a>. In particular, MODE_STAT must be used as the <em>mode</em> argument of this function.<p>With statistical mode, making an application that monitors the TCP traffic load is a matter of few lines of code. The following sample shows how to do it.<p><div class="fragment"><pre class="fragment"><span class="comment">/*</span><span class="comment"> * Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy)</span><span class="comment"> * Copyright (c) 2005 - 2006 CACE Technologies, Davis (California)</span><span class="comment"> * All rights reserved.</span><span class="comment"> *</span><span class="comment"> * Redistribution and use in source and binary forms, with or without</span><span class="comment"> * modification, are permitted provided that the following conditions</span><span class="comment"> * are met:</span><span class="comment"> *</span><span class="comment"> * 1. Redistributions of source code must retain the above copyright</span><span class="comment"> * notice, this list of conditions and the following disclaimer.</span><span class="comment"> * 2. Redistributions in binary form must reproduce the above copyright</span><span class="comment"> * notice, this list of conditions and the following disclaimer in the</span><span class="comment"> * documentation and/or other materials provided with the distribution.</span><span class="comment"> * 3. Neither the name of the Politecnico di Torino, CACE Technologies </span><span class="comment"> * nor the names of its contributors may be used to endorse or promote </span><span class="comment"> * products derived from this software without specific prior written </span><span class="comment"> * permission.</span><span class="comment"> *</span><span class="comment"> * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS</span><span class="comment"> * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT</span><span class="comment"> * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR</span><span class="comment"> * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT</span><span class="comment"> * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,</span><span class="comment"> * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT</span><span class="comment"> * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,</span><span class="comment"> * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY</span><span class="comment"> * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT</span><span class="comment"> * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE</span><span class="comment"> * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</span><span class="comment"> *</span><span class="comment"> */</span><span class="preprocessor">#include <stdlib.h></span><span class="preprocessor">#include <stdio.h></span><span class="preprocessor">#include <pcap.h></span><span class="keywordtype">void</span> usage();<span class="keywordtype">void</span> dispatcher_handler(u_char *, <span class="keyword">const</span> <span class="keyword">struct</span> <a class="code" href="structpcap__pkthdr.html">pcap_pkthdr</a> *, <span class="keyword">const</span> u_char *);<span class="keywordtype">void</span> main(<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv){<a class="code" href="group__wpcap__def.html#g4711d025f83503ce692efa5e45ec60a7">pcap_t</a> *fp;<span class="keywordtype">char</span> errbuf[<a class="code" href="group__wpcap__def.html#gcd448353957d92c98fccc29e1fc8d927">PCAP_ERRBUF_SIZE</a>];<span class="keyword">struct </span>timeval st_ts;u_int netmask;<span class="keyword">struct </span>bpf_program fcode; <span class="comment">/* Check the validity of the command line */</span> <span class="keywordflow">if</span> (argc != 2) { usage(); <span class="keywordflow">return</span>; } <span class="comment">/* Open the output adapter */</span> <span class="keywordflow">if</span> ( (fp= <a class="code" href="group__wpcapfunc.html#g2b64c7b6490090d1d37088794f1f1791">pcap_open</a>(argv[1], 100, <a class="code" href="group__remote__open__flags.html#g9134ce51a9a6a7d497c3dee5affdc3b9">PCAP_OPENFLAG_PROMISCUOUS</a>, 1000, NULL, errbuf) ) == NULL) { fprintf(stderr,<span class="stringliteral">"\nUnable to open adapter %s.\n"</span>, errbuf); <span class="keywordflow">return</span>; } <span class="comment">/* Don't care about netmask, it won't be used for this filter */</span> netmask=0xffffff; <span class="comment">//compile the filter</span> <span class="keywordflow">if</span> (<a class="code" href="group__wpcapfunc.html#g363bdc6f6b39b4979ddcf15ecb830c5c">pcap_compile</a>(fp, &fcode, <span class="stringliteral">"tcp"</span>, 1, netmask) <0 ) { fprintf(stderr,<span class="stringliteral">"\nUnable to compile the packet filter. Check the syntax.\n"</span>); <span class="comment">/* Free the device list */</span> <span class="keywordflow">return</span>; } <span class="comment">//set the filter</span> <span class="keywordflow">if</span> (<a class="code" href="group__wpcapfunc.html#gf5f9cfe85dad0967ff607e5159b1ba61">pcap_setfilter</a>(fp, &fcode)<0) { fprintf(stderr,<span class="stringliteral">"\nError setting the filter.\n"</span>); <a class="code" href="group__wpcapfunc.html#ga45a5e1a4ba9925bb3586dcbeec78560">pcap_close</a>(fp); <span class="comment">/* Free the device list */</span> <span class="keywordflow">return</span>; } <span class="comment">/* Put the interface in statstics mode */</span> <span class="keywordflow">if</span> (<a class="code" href="group__wpcapfunc.html#gef07ef49d3c75644f3fd34518e2fe720">pcap_setmode</a>(fp, <a class="code" href="group__NPF__include.html#g503326906a62e96c147ae6af31fb5659">MODE_STAT</a>)<0) { fprintf(stderr,<span class="stringliteral">"\nError setting the mode.\n"</span>); <a class="code" href="group__wpcapfunc.html#ga45a5e1a4ba9925bb3586dcbeec78560">pcap_close</a>(fp); <span class="comment">/* Free the device list */</span> <span class="keywordflow">return</span>; } printf(<span class="stringliteral">"TCP traffic summary:\n"</span>); <span class="comment">/* Start the main loop */</span> <a class="code" href="group__wpcapfunc.html#g6bcb7c5c59d76ec16b8a699da136b5de">pcap_loop</a>(fp, 0, dispatcher_handler, (PUCHAR)&st_ts); <a class="code" href="group__wpcapfunc.html#ga45a5e1a4ba9925bb3586dcbeec78560">pcap_close</a>(fp); <span class="keywordflow">return</span>;}<span class="keywordtype">void</span> dispatcher_handler(u_char *state, <span class="keyword">const</span> <span class="keyword">struct</span> <a class="code" href="structpcap__pkthdr.html">pcap_pkthdr</a> *header, <span class="keyword">const</span> u_char *pkt_data){ <span class="keyword">struct </span>timeval *old_ts = (<span class="keyword">struct </span>timeval *)state; u_int delay; LARGE_INTEGER Bps,Pps; <span class="keyword">struct </span>tm *ltime; <span class="keywordtype">char</span> timestr[16]; time_t local_tv_sec; <span class="comment">/* Calculate the delay in microseconds from the last sample. */</span> <span class="comment">/* This value is obtained from the timestamp that the associated with the sample. */</span> delay=(header-><a class="code" href="structpcap__pkthdr.html#21be78b2818c91cb205885b8a6f5aed8">ts</a>.tv_sec - old_ts->tv_sec) * 1000000 - old_ts->tv_usec + header-><a class="code" href="structpcap__pkthdr.html#21be78b2818c91cb205885b8a6f5aed8">ts</a>.tv_usec; <span class="comment">/* Get the number of Bits per second */</span> Bps.QuadPart=(((*(LONGLONG*)(pkt_data + 8)) * 8 * 1000000) / (delay)); <span class="comment">/* ^ ^</span><span class="comment"> | |</span><span class="comment"> | | </span><span class="comment"> | |</span><span class="comment"> converts bytes in bits -- |</span><span class="comment"> |</span><span class="comment"> delay is expressed in microseconds --</span><span class="comment"> */</span> <span class="comment">/* Get the number of Packets per second */</span> Pps.QuadPart=(((*(LONGLONG*)(pkt_data)) * 1000000) / (delay)); <span class="comment">/* Convert the timestamp to readable format */</span> local_tv_sec = header-><a class="code" href="structpcap__pkthdr.html#21be78b2818c91cb205885b8a6f5aed8">ts</a>.tv_sec; ltime=localtime(&local_tv_sec); strftime( timestr, <span class="keyword">sizeof</span> timestr, <span class="stringliteral">"%H:%M:%S"</span>, ltime); <span class="comment">/* Print timestamp*/</span> printf(<span class="stringliteral">"%s "</span>, timestr); <span class="comment">/* Print the samples */</span> printf(<span class="stringliteral">"BPS=%I64u "</span>, Bps.QuadPart); printf(<span class="stringliteral">"PPS=%I64u\n"</span>, Pps.QuadPart); <span class="comment">//store current timestamp</span> old_ts->tv_sec=header-><a class="code" href="structpcap__pkthdr.html#21be78b2818c91cb205885b8a6f5aed8">ts</a>.tv_sec; old_ts->tv_usec=header-><a class="code" href="structpcap__pkthdr.html#21be78b2818c91cb205885b8a6f5aed8">ts</a>.tv_usec;}<span class="keywordtype">void</span> usage(){ printf(<span class="stringliteral">"\nShows the TCP traffic load, in bits per second and packets per second.\nCopyright (C) 2002 Loris Degioanni.\n"</span>); printf(<span class="stringliteral">"\nUsage:\n"</span>); printf(<span class="stringliteral">"\t tcptop adapter\n"</span>); printf(<span class="stringliteral">"\t You can use \"WinDump -D\" if you don't know the name of your adapters.\n"</span>); exit(0);}</pre></div><p>Before enabling statistical mode, the user has the option to set a filter that defines the subset of network traffic that will be monitored. See the paragraph on the <a class="el" href="group__language.html">Filtering expression syntax</a> for details. If no filter has been set, all of the traffic will be monitored.<p>Once<p><ul><li>the filter is set</li><li><a class="el" href="group__wpcapfunc.html#gef07ef49d3c75644f3fd34518e2fe720">pcap_setmode()</a> is called</li><li>callback invocation is enabled with <a class="el" href="group__wpcapfunc.html#g6bcb7c5c59d76ec16b8a699da136b5de">pcap_loop()</a></li></ul><p>the interface descriptor starts to work in statistical mode. Notice the fourth parameter (<em>to_ms</em>) of <a class="el" href="group__wpcapfunc.html#g2b64c7b6490090d1d37088794f1f1791">pcap_open()</a>: it defines the interval among the statistical samples. The callback function receives the samples calculated by the driver every <em>to_ms</em> milliseconds. These samples are encapsulated in the second and third parameters of the callback function, as shown in the following figure:<p><div align="center"><img src="stats_wpcap.gif" alt="stats_wpcap.gif"></div><p>Two 64-bit counters are provided: the number of packets and the amount of bytes received during the last interval.<p>In the example, the adapter is opened with a timeout of 1000 ms. This means that dispatcher_handler() is called once per second. At this point a filter that keeps only tcp packets is compiled and set. Then <a class="el" href="group__wpcapfunc.html#gef07ef49d3c75644f3fd34518e2fe720">pcap_setmode()</a> and <a class="el" href="group__wpcapfunc.html#g6bcb7c5c59d76ec16b8a699da136b5de">pcap_loop()</a> are called. Note that a struct timeval pointer is passed to <a class="el" href="group__wpcapfunc.html#g6bcb7c5c59d76ec16b8a699da136b5de">pcap_loop()</a> as the <em>user</em> parameter. This structure will be used to store a timestamp in order to calculate the interval between two samples. dispatcher_handler()uses this interval to obtain the bits per second and the packets per second and then prints these values on the screen.<p>Note finally that this example is by far more efficient than a program that captures the packets in the traditional way and calculates statistics at user-level. Statistical mode requires the minumum amount of data copies and context switches and therefore the CPU is optimized. Moreover, a very small amount of memory is required.<p><a class="el" href="group__wpcap__tut8.html"><<< Previous</a> <hr><p align="right"><img border="0" src="winpcap_small.gif" align="absbottom" width="91" height="27">documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005-2007 CACE Technologies. All rights reserved.</p>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -