参考资料:

  http://www.tcpdump.org/

DESCRIPTION

The Packet Capture library provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism. It also supports saving captured packets to a ``savefile'', and reading packets from a ``savefile''.

Getting Started: The format of a pcap application

The first thing to understand is the general layout of a pcap sniffer. The flow of code is as follows:

  1. We begin by determining which interface we want to sniff on. In Linux this may be something like eth0, in BSD it may be xl1, etc. We can either define this device in a string, or we can ask pcap to provide us with the name of an interface that will do the job.
  2. Initialize pcap. This is where we actually tell pcap what device we are sniffing on. We can, if we want to, sniff on multiple devices(如何同时探测多个设备?). How do we differentiate between them? Using file handles. Just like opening a file for reading or writing, we must name our sniffing "session" so we can tell it apart from other such sessions.
  3. In the event that we only want to sniff specific traffic (e.g.: only TCP/IP packets, only packets going to port 23, etc) we must create a rule set, "compile" it, and apply it. This is a three phase process, all of which is closely related. The rule set is kept in a string, and is converted into a format that pcap can read (hence compiling it.) The compilation is actually just done by calling a function within our program; it does not involve the use of an external application. Then we tell pcap to apply it to whichever session we wish for it to filter.
  4. Finally, we tell pcap to enter it's primary execution loop. In this state, pcap waits until it has received however many packets we want it to. Every time it gets a new packet in, it calls another function that we have already defined. The function that it calls can do anything we want; it can dissect the packet and print it to the user, it can save it in a file, or it can do nothing at all.
  5. After our sniffing needs are satisfied, we close our session and are complete.

This is actually a very simple process. Five steps total, one of which is optional (step 3, in case you were wondering.) Let's take a look at each of the steps and how to implement them.

翻译:

  1.确定要探测的dev;

    #include <stdio.h>
#include <pcap.h> int main(int argc, char *argv[])
{
char *dev = argv[]; printf("Device: %s\n", dev);
return();
}    //或者 #include <stdio.h>
#include <pcap.h> int main(int argc, char *argv[])
{
char *dev, errbuf[PCAP_ERRBUF_SIZE]; dev = pcap_lookupdev(errbuf);  //随便找一个默认的interface
if (dev == NULL) {
fprintf(stderr, "Couldn't find default device: %s\n", errbuf);
return();
}
printf("Device: %s\n", dev);
return();
}

  2.初始化pcap;

     #include <pcap.h>
...
pcap_t *handle; handle = pcap_open_live(dev, BUFSIZ, , , errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device %s: %s\n", dev, errbuf);
return();
}

  3.想要探测特定类型的报文,设置rule;

     #include <pcap.h>
#include <stdio.h> int main(int argc, char *argv[])
{
pcap_t *handle; /* Session handle */
char *dev; /* The device to sniff on */
char errbuf[PCAP_ERRBUF_SIZE]; /* Error string */
struct bpf_program fp; /* The compiled filter */
char filter_exp[] = "port 23"; /* The filter expression */
bpf_u_int32 mask; /* Our netmask */
bpf_u_int32 net; /* Our IP */
struct pcap_pkthdr header; /* The header that pcap gives us */
const u_char *packet; /* The actual packet */ /* Define the device */
dev = pcap_lookupdev(errbuf);
if (dev == NULL) {
fprintf(stderr, "Couldn't find default device: %s\n", errbuf);
return();
}
/* Find the properties for the device */
if (pcap_lookupnet(dev, &net, &mask, errbuf) == -) {
fprintf(stderr, "Couldn't get netmask for device %s: %s\n", dev, errbuf);
net = ;
mask = ;
}
/* Open the session in promiscuous mode */
handle = pcap_open_live(dev, BUFSIZ, , , errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device %s: %s\n", dev, errbuf);
return();
}
/* Compile and apply the filter */
if (pcap_compile(handle, &fp, filter_exp, , net) == -) {
fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
return();
}
if (pcap_setfilter(handle, &fp) == -) {
fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
return();
}
/* Grab a packet */
packet = pcap_next(handle, &header);
/* Print its length */
printf("Jacked a packet with length of [%d]\n", header.len);
/* And close the session */
pcap_close(handle);
return();
}

  4.报文接收;

//抓取单个报文
u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) //抓取多个报文
int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet);  //回调函数

  报文解析:

/* Ethernet addresses are 6 bytes */
#define ETHER_ADDR_LEN 6 /* Ethernet header */
struct sniff_ethernet {
u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */
u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */
u_short ether_type; /* IP? ARP? RARP? etc */
}; /* IP header */
struct sniff_ip {
u_char ip_vhl; /* version << 4 | header length >> 2 */
u_char ip_tos; /* type of service */
u_short ip_len; /* total length */
u_short ip_id; /* identification */
u_short ip_off; /* fragment offset field */
#define IP_RF 0x8000 /* reserved fragment flag */
#define IP_DF 0x4000 /* dont fragment flag */
#define IP_MF 0x2000 /* more fragments flag */
#define IP_OFFMASK 0x1fff /* mask for fragmenting bits */
u_char ip_ttl; /* time to live */
u_char ip_p; /* protocol */
u_short ip_sum; /* checksum */
struct in_addr ip_src,ip_dst; /* source and dest address */
};
#define IP_HL(ip) (((ip)->ip_vhl) & 0x0f)
#define IP_V(ip) (((ip)->ip_vhl) >> 4) /* TCP header */
typedef u_int tcp_seq; struct sniff_tcp {
u_short th_sport; /* source port */
u_short th_dport; /* destination port */
tcp_seq th_seq; /* sequence number */
tcp_seq th_ack; /* acknowledgement number */
u_char th_offx2; /* data offset, rsvd */
#define TH_OFF(th) (((th)->th_offx2 & 0xf0) >> 4)
u_char th_flags;
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20
#define TH_ECE 0x40
#define TH_CWR 0x80
#define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
u_short th_win; /* window */
u_short th_sum; /* checksum */
u_short th_urp; /* urgent pointer */
};

  5.探测结束之后,关闭我们的session。

void pcap_close(pcap_t *p);

总结:

  上述描述了一个通过libpcap实现抓包的基本框架

libpcap 库使用(一)的更多相关文章

  1. 基于 libpcap库的sniffer程序

    基于 libpcap库的sniffer程序 Libpcap库是WireSharek和Tcpdump抓包程序的基础,利用libcap我们自己也可以实现自己的抓包程序,在网络上实时抓包分析,或者利用处理的 ...

  2. python3使用libpcap库进行抓包及数据处理

    python版本:python 3.9 libpcap版本:1.11.0b7 python libpcap库是底层绑定c语言libpcap库的开发包,旨在提供python应用可访问的unix c li ...

  3. libpcap 库使用(三)

    1.为了使收到的报文尽快给我们的处理程序,需要设置成immediate模式: int pcap_set_immediate_mode(pcap_t *p, int immediate_mode);

  4. libpcap 库使用(二)

    参考资料: http://www.tcpdump.org/manpages/pcap.3pcap.html 分类介绍了该lib的函数 Opening a capture handle for read ...

  5. 初识函数库libpcap

    由于工作上的需要,最近简单学习了抓包函数库libpcap,顺便记下笔记,方便以后查看 一.libpcap简介    libpcap(Packet Capture Library),即数据包捕获函数库, ...

  6. Linux链接库一(动态库,静态库,库放在什么路径下)

    http://www.cppblog.com/wolf/articles/74928.html http://www.cppblog.com/wolf/articles/77828.html http ...

  7. GCC 编译使用动态链接库和静态链接库

    1 库的分类 根据链接时期的不同,库又有静态库和动态库之分. 静态库是在链接阶段被链接的(好像是废话,但事实就是这样),所以生成的可执行文件就不受库的影响了,即使库被删除了,程序依然可以成功运行. 有 ...

  8. CentOS安装libpcap

    1.安装GCC:  yum -y install gcc-c++ 2.安装flex:   yum -y install flex   没有flex,直接安装libpcap会提示"Your o ...

  9. libpcap使用

    libpcap是一个网络数据包捕获函数库,功能非常强大,Linux下著名的tcpdump就是以它为基础的.今天我们利用它来完成一个我们自己的网络嗅探器(sniffer) 首先先介绍一下本次实验的环境: ...

随机推荐

  1. jms学习笔记

    https://www.cnblogs.com/zhuxiaojie/p/5564187.html //创建一个session //第一个参数:是否支持事务,如果为true,则会忽略第二个参数,被jm ...

  2. WINDOWS防火墙开启后Ping不通

    WINDOWS系统由于安全考虑,当开启防火墙时,默认不允许外主机对其进行ping功能,即别的电脑ping不通本机.别的主机ping不通本机是因为本机的防火墙关闭了ICMP回显功能,只要把这回显功能打开 ...

  3. javascript基础:函数参数与闭包问题

    今天在写东西的时候,对函数参数的概念有些模糊,查阅相关资料后,在博客上记点笔记,方便日后复习. 首先,在js中函数参数并没有强语言中那么要求严格,他不介意传递进来多少个参数,也不在乎传进来的参数是什么 ...

  4. rancher2 HA部署注意事项

    参考: https://rancher.com/docs/rancher/v2.x/en/installation/ha-server-install/ https://www.cnblogs.com ...

  5. pta7-20 畅通工程之局部最小花费问题(Kruskal算法)

    题目链接:https://pintia.cn/problem-sets/15/problems/897 题意:给出n个城镇,然后给出n×(n-1)/2条边,即每两个城镇之间的边,包含起始点,终点,修建 ...

  6. CentOS 下搭建SVN

    CentOS 7下搭建配置SVN服务器 1. 安装 CentOS通过yum安装subversion. $ sudo yum install subversion subversion安装在/bin目录 ...

  7. mycat配置实现mysql读写分离

    需要先把mysql的主从复制配置好,然后才可以开始mycat的配置 m ysql主从复制配置:https://www.cnblogs.com/renjianjun/p/9093062.html myc ...

  8. Monkey 命令收集相关 --追加Monkey自动化测试开源工具

    .1.环境配置 MONKEY测试使用的是ADB命令,因此只需要配置ADB环境即可. 2.测试准备与执行 在Monkey测试前,必须进行以下准备 Ø  手机屏幕超时设置为30分钟或者永不超时,防止手机进 ...

  9. NYOJ_矩形嵌套(DAG上的最长路 + 经典dp)

    本题大意:给定多个矩形的长和宽,让你判断最多能有几个矩形可以嵌套在一起,嵌套的条件为长和宽分别都小于另一个矩形的长和宽. 本题思路:其实这道题和之前做过的一道模版题数字三角形很相似,大体思路都一致,这 ...

  10. Python+Selenium学习--窗口切换及操作元素

    场景 有时候我们在测试一个web 应用时会出现多个浏览器窗口的情况,在selenium1.0 中这个问题比较难处理.webdriver 提供了相关相方法可以很轻松的在多个窗口之间切换并操作不同窗口上的 ...