📄 group__wpcap__tut6.html
字号:
} <span class="comment">/* Jump to the selected adapter */</span> <span class="keywordflow">for</span>(d=alldevs, i=0; i< inum-1 ;d=d-><a class="code" href="structpcap__if.html#81508e6e4e41ca4235c8d6b51913c536" title="if not NULL, a pointer to the next element in the list; NULL for the last element...">next</a>, i++); <span class="comment">/* Open the adapter */</span> <span class="keywordflow">if</span> ( (adhandle= <a class="code" href="group__wpcapfunc.html#g2b64c7b6490090d1d37088794f1f1791" title="Open a generic source in order to capture / send (WinPcap only) traffic.">pcap_open</a>(d-><a class="code" href="structpcap__if.html#5ac083a645d964373f022d03df4849c8" title="a pointer to a string giving a name for the device to pass to pcap_open_live()">name</a>, <span class="comment">// name of the device</span> 65536, <span class="comment">// portion of the packet to capture. </span> <span class="comment">// 65536 grants that the whole packet will be captured on all the MACs.</span> <a class="code" href="group__remote__open__flags.html#g9134ce51a9a6a7d497c3dee5affdc3b9" title="Defines if the adapter has to go in promiscuous mode.">PCAP_OPENFLAG_PROMISCUOUS</a>, <span class="comment">// promiscuous mode</span> 1000, <span class="comment">// read timeout</span> NULL, <span class="comment">// remote authentication</span> errbuf <span class="comment">// error buffer</span> ) ) == NULL) { fprintf(stderr,<span class="stringliteral">"\nUnable to open the adapter. %s is not supported by WinPcap\n"</span>); <span class="comment">/* Free the device list */</span> <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1" title="Free an interface list returned by pcap_findalldevs().">pcap_freealldevs</a>(alldevs); <span class="keywordflow">return</span> -1; } <span class="comment">/* Check the link layer. We support only Ethernet for simplicity. */</span> <span class="keywordflow">if</span>(<a class="code" href="group__wpcapfunc.html#g64c019f851f7da6892d51cca15f12ace" title="Return the link layer of an adapter.">pcap_datalink</a>(adhandle) != DLT_EN10MB) { fprintf(stderr,<span class="stringliteral">"\nThis program works only on Ethernet networks.\n"</span>); <span class="comment">/* Free the device list */</span> <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1" title="Free an interface list returned by pcap_findalldevs().">pcap_freealldevs</a>(alldevs); <span class="keywordflow">return</span> -1; } <span class="keywordflow">if</span>(d-><a class="code" href="structpcap__if.html#3910004677550db6d9b09792ba3e2cca" title="a pointer to the first element of a list of addresses for the interface">addresses</a> != NULL) <span class="comment">/* Retrieve the mask of the first address of the interface */</span> netmask=((<span class="keyword">struct </span>sockaddr_in *)(d-><a class="code" href="structpcap__if.html#3910004677550db6d9b09792ba3e2cca" title="a pointer to the first element of a list of addresses for the interface">addresses</a>-><a class="code" href="structpcap__addr.html#c43963e42e4d901e55e433ab9c3ea686" title="if not NULL, a pointer to a struct sockaddr that contains the netmask corresponding...">netmask</a>))->sin_addr.S_un.S_addr; <span class="keywordflow">else</span> <span class="comment">/* If the interface is without addresses we suppose to be in a C class network */</span> netmask=0xffffff; <span class="comment">//compile the filter</span> if (<a class="code" href="group__wpcapfunc.html#g363bdc6f6b39b4979ddcf15ecb830c5c" title="Compile a packet filter, converting an high level filtering expression (see Filtering...">pcap_compile</a>(adhandle, &fcode, packet_filter, 1, netmask) <0 ) { fprintf(stderr,<span class="stringliteral">"\nUnable to compile the packet filter. Check the syntax.\n"</span>); <span class="comment">/* Free the device list */</span> <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1" title="Free an interface list returned by pcap_findalldevs().">pcap_freealldevs</a>(alldevs); <span class="keywordflow">return</span> -1; } <span class="comment">//set the filter</span> <span class="keywordflow">if</span> (<a class="code" href="group__wpcapfunc.html#gf5f9cfe85dad0967ff607e5159b1ba61" title="Associate a filter to a capture.">pcap_setfilter</a>(adhandle, &fcode)<0) { fprintf(stderr,<span class="stringliteral">"\nError setting the filter.\n"</span>); <span class="comment">/* Free the device list */</span> <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1" title="Free an interface list returned by pcap_findalldevs().">pcap_freealldevs</a>(alldevs); <span class="keywordflow">return</span> -1; } printf(<span class="stringliteral">"\nlistening on %s...\n"</span>, d-><a class="code" href="structpcap__if.html#8444d6e0dfe2bbab0b5e7b24308f1559" title="if not NULL, a pointer to a string giving a human-readable description of the device...">description</a>); <span class="comment">/* At this point, we don't need any more the device list. Free it */</span> <a class="code" href="group__wpcapfunc.html#g346b4b0b7fd1cda4abb9a39f767dbeb1" title="Free an interface list returned by pcap_findalldevs().">pcap_freealldevs</a>(alldevs); <span class="comment">/* start the capture */</span> <a class="code" href="group__wpcapfunc.html#g6bcb7c5c59d76ec16b8a699da136b5de" title="Collect a group of packets.">pcap_loop</a>(adhandle, 0, packet_handler, NULL); <span class="keywordflow">return</span> 0;}<span class="comment">/* Callback function invoked by libpcap for every incoming packet */</span><span class="keywordtype">void</span> packet_handler(u_char *param, <span class="keyword">const</span> <span class="keyword">struct</span> <a class="code" href="structpcap__pkthdr.html" title="Header of a packet in the dump file.">pcap_pkthdr</a> *header, <span class="keyword">const</span> u_char *pkt_data){ <span class="keyword">struct </span>tm ltime; <span class="keywordtype">char</span> timestr[16]; ip_header *ih; udp_header *uh; u_int ip_len; u_short sport,dport; time_t local_tv_sec; <span class="comment">/*</span><span class="comment"> * Unused variable</span><span class="comment"> */</span> (VOID)(param); <span class="comment">/* convert the timestamp to readable format */</span> local_tv_sec = header-><a class="code" href="structpcap__pkthdr.html#21be78b2818c91cb205885b8a6f5aed8" title="time stamp">ts</a>.tv_sec; localtime_s(&ltime, &local_tv_sec); strftime( timestr, <span class="keyword">sizeof</span> timestr, <span class="stringliteral">"%H:%M:%S"</span>, &ltime); <span class="comment">/* print timestamp and length of the packet */</span> printf(<span class="stringliteral">"%s.%.6d len:%d "</span>, timestr, header-><a class="code" href="structpcap__pkthdr.html#21be78b2818c91cb205885b8a6f5aed8" title="time stamp">ts</a>.tv_usec, header-><a class="code" href="structpcap__pkthdr.html#728f264db4f5cc304742565a2bcdbeea" title="length this packet (off wire)">len</a>); <span class="comment">/* retireve the position of the ip header */</span> ih = (ip_header *) (pkt_data + 14); <span class="comment">//length of ethernet header</span> <span class="comment">/* retireve the position of the udp header */</span> ip_len = (ih->ver_ihl & 0xf) * 4; uh = (udp_header *) ((u_char*)ih + ip_len); <span class="comment">/* convert from network byte order to host byte order */</span> sport = ntohs( uh->sport ); dport = ntohs( uh->dport ); <span class="comment">/* print ip addresses and udp ports */</span> printf(<span class="stringliteral">"%d.%d.%d.%d.%d -> %d.%d.%d.%d.%d\n"</span>, ih->saddr.byte1, ih->saddr.byte2, ih->saddr.byte3, ih->saddr.byte4, sport, ih->daddr.byte1, ih->daddr.byte2, ih->daddr.byte3, ih->daddr.byte4, dport);}</pre></div><p>First of all, we set the filter to "ip and udp". In this way we are sure that packet_handler() will receive only UDP packets over IPv4: this simplifies the parsing and increases the efficiency of the program.<p>We have also created a couple of structs that describe the IP and UDP headers. These structs are used by packet_handler() to properly locate the various header fields.<p>packet_handler(), although limited to a single protocol dissector (UDP over IPv4), shows how complex "sniffers" like tcpdump/WinDump decode the network traffic. Since we aren't interested in the MAC header, we skip it. For simplicity and before starting the capture, we check the MAC layer with <a class="el" href="group__wpcapfunc.html#g64c019f851f7da6892d51cca15f12ace" title="Return the link layer of an adapter.">pcap_datalink()</a> to make sure that we are dealing with an Ethernet network. This way we can be sure that the MAC header is exactly 14 bytes.<p>The IP header is located just after the MAC header. We will extract the IP source and destination addresses from the IP header.<p>Reaching the UDP header is a bit more complicated, because the IP header doesn't have a fixed length. Therefore, we use the IP header's length field to know its size. Once we know the location of the UDP header, we extract the source and destination ports.<p>The extracted values are printed on the screen, and the result is something like:<p><code> 1. \Device\Packet_{A7FD048A-5D4B-478E-B3C1-34401AC3B72F} (Xircom t 10/100 Adapter) <br> Enter the interface number (1-2):1<br></code><p><code>listening on Xircom CardBus Ethernet 10/100 Adapter... <br> 16:13:15.312784 len:87 130.192.31.67.2682 -> 130.192.3.21.53 <br> 16:13:15.314796 len:137 130.192.3.21.53 -> 130.192.31.67.2682 <br> 16:13:15.322101 len:78 130.192.31.67.2683 -> 130.192.3.21.53 <br> </code><p>Each of the final 3 lines represents a different packet.<p><a class="el" href="group__wpcap__tut5.html"><<< Previous</a> <a class="el" href="group__wpcap__tut7.html">Next >>></a> </div><hr><p align="right"><img border="0" src="winpcap_small.gif" align="absbottom" width="91" height="27">documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005-2008CACE Technologies. All rights reserved.</p>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -