⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 group__wpcap__tut7.html

📁 WinPcap V4.01技术手册
💻 HTML
📖 第 1 页 / 共 3 页
字号:
🔍
123 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1"><title>WinPcap: Handling offline dump files</title><link href="style.css" rel="stylesheet" type="text/css"><link href="tabs.css" rel="stylesheet" type="text/css"></head><body><!-- Generated by Doxygen 1.5.1 --><div class="tabs">  <ul>    <li><a href="main.html"><span>Main&nbsp;Page</span></a></li>    <li><a href="modules.html"><span>Modules</span></a></li>    <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>    <li><a href="files.html"><span>Files</span></a></li>    <li><a href="pages.html"><span>Related&nbsp;Pages</span></a></li>  </ul></div><h1>Handling offline dump files</h1><table border="0" cellpadding="0" cellspacing="0"><tr><td></td></tr></table>In this lession we are going to learn how to handle packet capture to a file (dump to file). WinPcap offers a wide range of functions to save the network traffic to a file and to read the content of dumps -- this lesson will teach how to use all of these functions. We'll see also how to use the kernel dump feature of WinPcap to obtain high-performance dumps (<b>NOTE:</b> At the moment, due to some problems with the new kernel buffer, this feature has been disabled).<p>The format for dump files is the libpcap one. This format contains the data of the captured packets in binary form and is a standard used by many network tools including WinDump, Ethereal and Snort.<p><b>Saving packets to a dump file</b><p>First of all, let's see how to write packets in libpcap format.<p>The following example captures the packets from the selected interface and saves them on a file whose name is provided by the user.<p><div class="fragment"><pre class="fragment"><span class="preprocessor">#include "pcap.h"</span><span class="comment">/* prototype of the packet handler */</span><span class="keywordtype">void</span> packet_handler(u_char *param, <span class="keyword">const</span> <span class="keyword">struct</span> <a class="code" href="structpcap__pkthdr.html">pcap_pkthdr</a> *header, <span class="keyword">const</span> u_char *pkt_data);main(<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv){<a class="code" href="structpcap__if.html">pcap_if_t</a> *alldevs;<a class="code" href="structpcap__if.html">pcap_if_t</a> *d;<span class="keywordtype">int</span> inum;<span class="keywordtype">int</span> i=0;<a class="code" href="group__wpcap__def.html#g4711d025f83503ce692efa5e45ec60a7">pcap_t</a> *adhandle;<span class="keywordtype">char</span> errbuf[<a class="code" href="group__wpcap__def.html#gcd448353957d92c98fccc29e1fc8d927">PCAP_ERRBUF_SIZE</a>];<a class="code" href="group__wpcap__def.html#gb8c7858aa3a7e3158d9d58cb113a2ae8">pcap_dumper_t</a> *dumpfile;        <span class="comment">/* Check command line */</span>    <span class="keywordflow">if</span>(argc != 2)    {        printf(<span class="stringliteral">"usage: %s filename"</span>, argv[0]);        <span class="keywordflow">return</span> -1;    }        <span class="comment">/* Retrieve the device list on the local machine */</span>    <span class="keywordflow">if</span> (<a class="code" href="group__wpcapfunc.html#g98f36e62c95c6ad81eaa8b2bbeb8f16e">pcap_findalldevs_ex</a>(<a class="code" href="group__remote__source__string.html#g6d7103b8a7e1eca8c325bd8f32c361c3">PCAP_SRC_IF_STRING</a>, NULL, &amp;alldevs, errbuf) == -1)    {        fprintf(stderr,<span class="stringliteral">"Error in pcap_findalldevs: %s\n"</span>, errbuf);        exit(1);    }        <span class="comment">/* Print the list */</span>    <span class="keywordflow">for</span>(d=alldevs; d; d=d-&gt;<a class="code" href="structpcap__if.html#81508e6e4e41ca4235c8d6b51913c536">next</a>)    {        printf(<span class="stringliteral">"%d. %s"</span>, ++i, d-&gt;<a class="code" href="structpcap__if.html#5ac083a645d964373f022d03df4849c8">name</a>);        if (d-&gt;<a class="code" href="structpcap__if.html#8444d6e0dfe2bbab0b5e7b24308f1559">description</a>)            printf(<span class="stringliteral">" (%s)\n"</span>, d-&gt;<a class="code" href="structpcap__if.html#8444d6e0dfe2bbab0b5e7b24308f1559">description</a>);        <span class="keywordflow">else</span>            printf(<span class="stringliteral">" (No description available)\n"</span>);    }    <span class="keywordflow">if</span>(i==0)    {        printf(<span class="stringliteral">"\nNo interfaces found! Make sure WinPcap is installed.\n"</span>);        <span class="keywordflow">return</span> -1;    }        printf(<span class="stringliteral">"Enter the interface number (1-%d):"</span>,i);    scanf(<span class="stringliteral">"%d"</span>, &amp;inum);        <span class="keywordflow">if</span>(inum &lt; 1 || inum &gt; i)    {        printf(<span class="stringliteral">"\nInterface number out of range.\n"</span>);        <span class="comment">/* Free the device list */</span>        <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1">pcap_freealldevs</a>(alldevs);        <span class="keywordflow">return</span> -1;    }            <span class="comment">/* Jump to the selected adapter */</span>    <span class="keywordflow">for</span>(d=alldevs, i=0; i&lt; inum-1 ;d=d-&gt;<a class="code" href="structpcap__if.html#81508e6e4e41ca4235c8d6b51913c536">next</a>, i++);            <span class="comment">/* Open the device */</span>    <span class="keywordflow">if</span> ( (adhandle= <a class="code" href="group__wpcapfunc.html#g2b64c7b6490090d1d37088794f1f1791">pcap_open</a>(d-&gt;<a class="code" href="structpcap__if.html#5ac083a645d964373f022d03df4849c8">name</a>,          <span class="comment">// name of the device</span>                              65536,            <span class="comment">// portion of the packet to capture</span>                                                <span class="comment">// 65536 guarantees that the whole packet will be captured on all the link layers</span>                              <a class="code" href="group__remote__open__flags.html#g9134ce51a9a6a7d497c3dee5affdc3b9">PCAP_OPENFLAG_PROMISCUOUS</a>,    <span class="comment">// promiscuous mode</span>                              1000,             <span class="comment">// read timeout</span>                              NULL,             <span class="comment">// authentication on the remote machine</span>                              errbuf            <span class="comment">// error buffer</span>                              ) ) == NULL)    {        fprintf(stderr,<span class="stringliteral">"\nUnable to open the adapter. %s is not supported by WinPcap\n"</span>, d-&gt;<a class="code" href="structpcap__if.html#5ac083a645d964373f022d03df4849c8">name</a>);        <span class="comment">/* Free the device list */</span>        <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1">pcap_freealldevs</a>(alldevs);        <span class="keywordflow">return</span> -1;    }    <span class="comment">/* Open the dump file */</span>    dumpfile = <a class="code" href="group__wpcapfunc.html#g9506c33d580fdb5e5c288dba0f8a085c">pcap_dump_open</a>(adhandle, argv[1]);    <span class="keywordflow">if</span>(dumpfile==NULL)    {        fprintf(stderr,<span class="stringliteral">"\nError opening output file\n"</span>);        <span class="keywordflow">return</span> -1;    }        printf(<span class="stringliteral">"\nlistening on %s... Press Ctrl+C to stop...\n"</span>, d-&gt;<a class="code" href="structpcap__if.html#8444d6e0dfe2bbab0b5e7b24308f1559">description</a>);        <span class="comment">/* At this point, we no longer need the device list. Free it */</span>    <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1">pcap_freealldevs</a>(alldevs);        <span class="comment">/* start the capture */</span>    <a class="code" href="group__wpcapfunc.html#g6bcb7c5c59d76ec16b8a699da136b5de">pcap_loop</a>(adhandle, 0, packet_handler, (<span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> *)dumpfile);    <span class="keywordflow">return</span> 0;}<span class="comment">/* Callback function invoked by libpcap for every incoming packet */</span><span class="keywordtype">void</span> packet_handler(u_char *dumpfile, <span class="keyword">const</span> <span class="keyword">struct</span> <a class="code" href="structpcap__pkthdr.html">pcap_pkthdr</a> *header, <span class="keyword">const</span> u_char *pkt_data){    <span class="comment">/* save the packet on the dump file */</span>    <a class="code" href="group__wpcapfunc.html#g659439bf5aa3988b5a92d31990fbf437">pcap_dump</a>(dumpfile, header, pkt_data);}</pre></div><p>As you can see, the structure of the program is very similar to the ones we have seen in the previous lessons. The differences are:<ul><li>a call to <a class="el" href="group__wpcapfunc.html#g9506c33d580fdb5e5c288dba0f8a085c">pcap_dump_open()</a> is issued once the interface is opened. This call opens a dump file and associates it with the interface.</li><li>the packets are written to this file with a <a class="el" href="group__wpcapfunc.html#g659439bf5aa3988b5a92d31990fbf437">pcap_dump()</a> from the packet_handler() callback. The parameters of <a class="el" href="group__wpcapfunc.html#g659439bf5aa3988b5a92d31990fbf437">pcap_dump()</a> are in 1-1 correspondence with the parameters of <a class="el" href="group__wpcapfunc.html#gc429cf4f27205111259ff7b02a82eeab">pcap_handler()</a>.</li></ul><p><b>Reading packets from a dump file</b><p>Now that we have a dump file available, we can try to read its content. The following code opens a WinPcap/libpcap dump file and displays every packet contained in the file. The file is opened with <a class="el" href="group__wpcapfunc.html#g91078168a13de8848df2b7b83d1f5b69">pcap_open_offline()</a>, then the usual <a class="el" href="group__wpcapfunc.html#g6bcb7c5c59d76ec16b8a699da136b5de">pcap_loop()</a> is used to sequence through the packets. As you can see, reading packets from an offline capture is nearly identical to receiving them from a physical interface.<p>This example introduces another function: pcap_createsrcsrc(). This function is required to create a source string that begins with a marker used to tell WinPcap the type of the source, e.g. "rpcap://" if we are going to open an adapter, or "file://" if we are going to open a file. This step is not required when <a class="el" href="group__wpcapfunc.html#g98f36e62c95c6ad81eaa8b2bbeb8f16e">pcap_findalldevs_ex()</a> is used (the returned values already contain these strings). However, it is required in this example because the name of the file is read from the user input.<p><div class="fragment"><pre class="fragment"><span class="preprocessor">#include &lt;stdio.h&gt;</span><span class="preprocessor">#include &lt;pcap.h&gt;</span><span class="preprocessor">#define LINE_LEN 16</span><span class="preprocessor"></span><span class="keywordtype">void</span> dispatcher_handler(u_char *, <span class="keyword">const</span> <span class="keyword">struct</span> <a class="code" href="structpcap__pkthdr.html">pcap_pkthdr</a> *, <span class="keyword">const</span> u_char *);main(<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv){
123

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -