下蝲Q?div>http://www.easyice.cn/5imx2s/download.htm
]]>
q节的例子很象先前的一章(获得|卡的高U信息)(j)但是q一节中是用pcap_next_ex()来代替pcap_loop()来捕h据包。基于回调包捕获机制
的pcap_loop()在某些情况下是不错的选择。但是在一些情况下处理回调q不特别好:(x)q会(x)使程序变的复杂ƈ且在象多U程或C++c这些情况下
它看h到象一块绊脚石?/p>
在这些情况下pcap_next_ex()允许直接调用来接收包Q它的参数和pcap_loop()相同Q有一个网卡描q副Q和两个指针Q这两个指针?x)被初始?/p>
q返回给用户Q一个是pcap_pkthdrl构Q另一个是接收数据的缓冲区。下面的E序我门@环调用前一节的例子中的回掉部分Q只是把它移?/p>
了main里面了?/p>
E序代码Q?[ 复制代码到剪贴板 ]
#include "pcap.h"
main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
pcap_t *adhandle;
int res;
char errbuf[PCAP_ERRBUF_SIZE];
struct tm *ltime;
char timestr[16];
struct pcap_pkthdr *header;
u_char *pkt_data;
/* Retrieve the device list */
if (pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
/* Print the list */
for(d=alldevs; d; d=d->next)
{
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
return -1;
}
printf("Enter the interface number (1-%d):",i);
scanf("%d", &inum);
if(inum < 1 || inum > i)
{
printf("\nInterface number out of range.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
/* Jump to the selected adapter */
for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
/* Open the adapter */
if ( (adhandle= pcap_open_live(d->name, // name of the device
65536, // portion of the packet to capture.
// 65536 grants that the whole packet will be captured on all the MACs.
1, // promiscuous mode
1000, // read timeout
errbuf // error buffer
) ) == NULL)
{
fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
printf("\nlistening on %s...\n", d->description);
/* At this point, we don‘t need any more the device list. Free it */
pcap_freealldevs(alldevs);
/* 此处循环调用 pcap_next_ex来接受数据报*/
while((res = pcap_next_ex( adhandle, &header, &pkt_data)) >= 0){
if(res == 0)
/* Timeout elapsed */
continue;
/* convert the timestamp to readable format */
ltime=localtime(&header->ts.tv_sec);
strftime( timestr, sizeof timestr, "%H:%M:%S", ltime);
printf("%s,%.6d len:%d\n", timestr, header->ts.tv_usec, header->len);
}
if(res == -1){
printf("Error reading the packets: %s\n", pcap_geterr(adhandle));
return -1;
}
return 0;
}
注:(x)pcap_next_ex()只在Win32环境下才行因为它不是原始libpcap API中的一部分Q这意味着依赖于这个函数的代码不会(x)在UNIX下工作。那
么ؓ(f)什么我们用pcap_next_ex()而不用pcap_next()Q因为pcap_next()有许多限制在很多情况下ƈ不鼓q它。首先它的效率很低因为它隐藏
了回掉方法ƈ且还依赖于pcap_dispatch()q个函数。再ơ它不能够识别文件结束标志EOF所以对来自文g的数据流它几乎无能ؓ(f)力?br>注意当pcap_next_ex()在成功,时Q出错和文gl束的情况下?x)返回不同的?br>
五)(j)数据的qo(h)
WinPcap或libpca最强大的特点之一是数据的qo(h)引擎。它提供一U高效的Ҏ(gu)来只捕获|络数据的某些数据而且常常和系l的捕获机制
盔R成。过滤数据的函数是pcap_compile() ?pcap_setfilter()来实现的?/p>
pcap_compile()来编译一个过滤设备,它通过一个高层的boolean型变量和字串产生一pd的能够被底层驱动所解释的二q制~码。boolean?/p>
C法能够在q个文g的过滤表C法中扑ֈ?/p>
pcap_setfilter() 用来联系一个在内核驱动上过滤的qo(h)器,q时所有网l数据包都将经qo(h)器,q拷贝到应用E序中?/p>
下面的代码展CZ如何~译q社定一个过滤设备。注意我们必Mpcap_ifl构中获得掩码,因ؓ(f)一些过滤器的创建需要这个参数?/p>
下面的代码段中的pcap_compile()?ip and tcp"参数说明只有IPV4和TCP数据才会(x)被内怿存ƈ被传递到应用E序?/p>
E序代码Q?[ 复制代码到剪贴板 ]
if(d->addresses != NULL)
/* 获得W一个接口地址的掩?*/
netmask=((struct sockaddr_in *)(d->addresses->netmask))->sin_addr.S_un.S_addr;
else
/* 如果q个接口没有地址那么我们假设他ؓ(f)Ccd址 */
netmask=0xffffff;
//compile the filter
if(pcap_compile(adhandle, &fcode, "ip and tcp", 1, netmask) <0 ){
fprintf(stderr,"\nUnable to compile the packet filter. Check the syntax.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
//set the filter
if(pcap_setfilter(adhandle, &fcode)<0){
fprintf(stderr,"\nError setting the filter.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
六)(j)解析数据?br>现在l过上几节的学习(fn)能够q行数据报的捕获和过滤了Q我们想用一个简单的"real world"E序我们所学的
知识应用于实际?br>q一节里我们利用以前的代码q将其引申从而徏立一个更实用的程序。该E序的主要目的是如何昄出所?/p>
L(fng)数据报的内容Q尤其是对它的协议头的分析和说明。这个程序名叫UDPdump它将在屏q上昄出我们网l上
UDP数据的信息?br>在此我们选择解析UDP而不用TCP因ؓ(f)他比TCP单更加的直观明了。下面让我们来看看原代码?/p>
E序代码Q?[ 复制代码到剪贴板 ]
/*
* Copyright (c) 1999 - 2002
* Politecnico di Torino. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the Politecnico
* di Torino, and its contributors.‘‘ Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS‘‘ AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#include "pcap.h"
/* 4 BIT的IP头定?*/
typedef struct ip_address{
u_char byte1;
u_char byte2;
u_char byte3;
u_char byte4;
}ip_address;
/* IPv4 头的定义 */
typedef struct ip_header{
u_char ver_ihl; // 4 bit的版本信?+ 4 bits的头?br>u_char tos; // TOScd
u_short tlen; // 总长?br>u_short identification; // Identification
u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits)
u_char ttl; // 生存?br>u_char proto; // 后面的协议信?br>u_short crc; // 校验?br>ip_address saddr; // 源IP
ip_address daddr; // 目的IP
u_int op_pad; // Option + Padding
}ip_header;
/* UDP header*/
typedef struct udp_header{
u_short sport; // Source port
u_short dport; // Destination port
u_short len; // Datagram length
u_short crc; // Checksum
}udp_header;
/* 定义处理包的函数 */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);
main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
pcap_t *adhandle;
char errbuf[PCAP_ERRBUF_SIZE];
u_int netmask;
char packet_filter[] = "ip and udp";
struct bpf_program fcode;
/* Retrieve the device list */
if (pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
/* Print the list */
for(d=alldevs; d; d=d->next)
{
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
return -1;
}
printf("Enter the interface number (1-%d):",i);
scanf("%d", &inum);
if(inum < 1 || inum > i)
{
printf("\nInterface number out of range.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
/* Jump to the selected adapter */
for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
/* Open the adapter */
if ( (adhandle= pcap_open_live(d->name, // name of the device
65536, // portion of the packet to capture.
// 65536 grants that the whole packet will be captured on
all the MACs.
1, // promiscuous mode
1000, // read timeout
errbuf // error buffer
) ) == NULL)
{
fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
/* Check the link layer. We support only Ethernet for simplicity. */
if(pcap_datalink(adhandle) != DLT_EN10MB)
{
fprintf(stderr,"\nThis program works only on Ethernet networks.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
if(d->addresses != NULL)
/* Retrieve the mask of the first address of the interface */
netmask=((struct sockaddr_in *)(d->addresses->netmask))->sin_addr.S_un.S_addr;
else
/* If the interface is without addresses we suppose to be in a C class network */
netmask=0xffffff;
//compile the filter
if(pcap_compile(adhandle, &fcode, packet_filter, 1, netmask) <0 ){
fprintf(stderr,"\nUnable to compile the packet filter. Check the syntax.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
//set the filter
if(pcap_setfilter(adhandle, &fcode)<0){
fprintf(stderr,"\nError setting the filter.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
printf("\nlistening on %s...\n", d->description);
/* At this point, we don‘t need any more the device list. Free it */
pcap_freealldevs(alldevs);
/* start the capture */
pcap_loop(adhandle, 0, packet_handler, NULL);
return 0;
}
/* Callback function invoked by libpcap for every incoming packet */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
struct tm *ltime;
char timestr[16];
ip_header *ih;
udp_header *uh;
u_int ip_len;
u_short sport,dport;
/* convert the timestamp to readable format */
ltime=localtime(&header->ts.tv_sec);
strftime( timestr, sizeof timestr, "%H:%M:%S", ltime);
/* print timestamp and length of the packet */
printf("%s.%.6d len:%d ", timestr, header->ts.tv_usec, header->len);
/* 扑ֈIP头的位置 */
ih = (ip_header *) (pkt_data +
14); //14Z太头的长?/p>
/* 扑ֈUDP的位|?*/
ip_len = (ih->ver_ihl & 0xf) * 4;
uh = (udp_header *) ((u_char*)ih + ip_len);
/* 端口信息从|络型{变ؓ(f)L序 */
sport = ntohs( uh->sport );
dport = ntohs( uh->dport );
/* print ip addresses and udp ports */
printf("%d.%d.%d.%d.%d -> %d.%d.%d.%d.%d\n",
ih->saddr.byte1,
ih->saddr.byte2,
ih->saddr.byte3,
ih->saddr.byte4,
sport,
ih->daddr.byte1,
ih->daddr.byte2,
ih->daddr.byte3,
ih->daddr.byte4,
dport);
}
首先我门讄UDPqo(h)Q用q种Ҏ(gu)我们保packet_handler()只接受到ZIPV4的UDP数据。我们同样定义了
两个数据l构来描qIP 和UDP的头部信息,packet_handler()用这两个l构来定位头部的各种字段?br>packet_handler()虽然只是限于处理一些UDP数据但却昄了复杂的嗅探器如tcpdump/WinDump的工作原理?br>首先我们对MAC地址的头部ƈ不感兴趣所以我们蟩q它。不q在开始捕获之前我们用pcap_datalink()来检查MAC
层,所以以上的E序只能够工作在Ethernet networks上,再次我们保MAC头ؓ(f)14 bytes?br>MAC头之后是IP_(d)我们从中提取Z目的地址。IP之后是UDPQ在定UDP的位|时有点复杂Q因为IP的长度以
为版本的不同而不同,所以我们用头长字段来定位UDPQ一?我们定了UDP的v始位|,我们可以解析出?/p>
和目的端口?br>下面是我们打印出来的一些结果:(x)
1. {A7FD048A-5D4B-478E-B3C1-34401AC3B72F} (Xircom t 10/100 Adapter)
Enter the interface number (1-2):1
listening on Xircom CardBus Ethernet 10/100 Adapter...
16:13:15.312784 len:87 130.192.31.67.2682 -> 130.192.3.21.53
16:13:15.314796 len:137 130.192.3.21.53 -> 130.192.31.67.2682
16:13:15.322101 len:78 130.192.31.67.2683 -> 130.192.3.21.53
上面每一行都昄Z同的数据包的内容.
Q七Q处理脱机的堆文?/p>
通过以前的学?fn)我门已l熟(zhn)了从网卡上捕获数据包,现在我门学?fn)如何处理数据包。WINPCAP为我们提供了很多API来将经|络的数据包
保存C个堆文gq读取堆的内宏V这一节将讲述如何使用所有的q些API?br>q种文g的格式很单,但包含了所捕获的数据报的二q制内容Q这U文件格式也是很多网l工L(fng)标准如WinDump, Ethereal q有 Snort{?
关于如何数据包保存到文Ӟ(x)
首先我们看看如何以LIBPCAP的格式写数据包?br>下面的例子演CZ如何从指定的接口上捕h据包q将它们存储C个指定的文g?/p>
E序代码Q?[ 复制代码到剪贴板 ]
#include "pcap.h"
/* 定义处理数据的函数原?*/
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);
main(int argc, char **argv)
{
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
pcap_t *adhandle;//定义文g句柄
char errbuf[PCAP_ERRBUF_SIZE];
pcap_dumper_t *dumpfile;
/* (g)查命令行参数 是否带有文g?/
if(argc != 2){
printf("usage: %s filename", argv[0]);
return -1;
}
/* 获得驱动列表 */
if (pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
/* 打印 list */
for(d=alldevs; d; d=d->next)
{
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
return -1;
}
printf("Enter the interface number (1-%d):",i);
scanf("%d", &inum);
if(inum < 1 || inum > i)
{
printf("\nInterface number out of range.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
/* 跌{到指定的|卡 */
for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
/* Open the adapter */
if ( (adhandle = pcap_open_live(d->name, // name of the device
65536, // portion of the packet to capture.
// 65536 grants that the whole packet will be captured on all the MACs.
1, // promiscuous mode
1000, // read timeout
errbuf // error buffer
) ) == NULL)
{
fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
/* 打开文g */
dumpfile = pcap_dump_open(adhandle, argv[1]);
if(dumpfile==NULL){
fprintf(stderr,"\nError opening output file\n");
return -1;
}
printf("\nlistening on %s...\n", d->description);
/* At this point, we don‘t need any more the device list. Free it */
pcap_freealldevs(alldevs);
/* 循环捕获数据q调用packet_handler函数把数据存储到堆文?*/
pcap_loop(adhandle, 0, packet_handler, (unsigned char *)dumpfile);
return 0;
}
/* Callback function invoked by libpcap for every incoming packet */
void packet_handler(u_char *dumpfile, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
/* 此函数功能将数据报存储到堆文?*/
pcap_dump(dumpfile, header, pkt_data);
}
正如你看到的那样该程序的l构非常cM与以前的例子Q区别是Q?br>一旦打开|卡p用pcap_dump_open()来打开一个文Ӟ该调用将文g和某个网卡相兌?br>packet_handler()内部通过调用pcap_dump()来将捕获的数据报存储到文件。pcap_dump()的参数和 packet_handler()一P所以用h比较?/p>
ѝ?/p>
从文件读数据包:(x)
下面我们来看如何从文件读取数据内宏V下面的代码打开?一个堆文gq打C其中的每个包内容?br>pcap_open_offline()用来打开一个堆文gQ之后用pcap_loop()来@环从文g中读取数据。你能发现读取脱机的数据几乎和实时的从网卡上?/p>
取一怸栗?/p>
E序代码Q?[ 复制代码到剪贴板 ]
#include <stdio.h>
#include <pcap.h>
#define LINE_LEN 16
void dispatcher_handler(u_char *, const struct pcap_pkthdr *, const u_char *);
main(int argc, char **argv) {
pcap_t *fp;
char errbuf[PCAP_ERRBUF_SIZE];
if(argc != 2){
printf("usage: %s filename", argv[0]);
return -1;
}
/* 打开一个存储有数据的堆文g */
if ( (fp = pcap_open_offline(argv[1], errbuf) ) == NULL)
{
fprintf(stderr,"\nError opening dump file\n");
return -1;
}
// d数据直到遇到 EOF标志?
pcap_loop(fp, 0, dispatcher_handler, NULL);
return 0;
}
void dispatcher_handler(u_char *temp1,
const struct pcap_pkthdr *header, const u_char *pkt_data)
{
u_int i=0;
/* print pkt timestamp and pkt len */
printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len);
/* Print the packet */
for (i=1; (i < header->caplen + 1 ) ; i++)
{
printf("%.2x ", pkt_data[i-1]);
if ( (i % LINE_LEN) == 0) printf("\n");
}
printf("\n\n");
}
下面的代码具有一L(fng)作用Q只不过是用pcap_next_ex()来代替pcap_loop()循环d数据而已?/p>
E序代码Q?[ 复制代码到剪贴板 ]
#include <stdio.h>
#include <pcap.h>
#define LINE_LEN 16
main(int argc, char **argv) {
pcap_t *fp;
char errbuf[PCAP_ERRBUF_SIZE];
struct pcap_pkthdr *header;
u_char *pkt_data;
u_int i=0;
int res;
if(argc != 2){
printf("usage: %s filename", argv[0]);
return -1;
}
/* Open a capture file */
if ( (fp = pcap_open_offline(argv[1], errbuf) ) == NULL)
{
fprintf(stderr,"\nError opening dump file\n");
return -1;
}
/* Retrieve the packets from the file */
while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0){
/* print pkt timestamp and pkt len */
printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len);
/* Print the packet */
for (i=1; (i < header->caplen + 1 ) ; i++)
{
printf("%.2x ", pkt_data[i-1]);
if ( (i % LINE_LEN) == 0) printf("\n");
}
printf("\n\n");
}
if(res == -1){
printf("Error reading the packets: %s\n", pcap_geterr(fp));
}
return 0;
}
用pcap_live_dump数据写到文Ӟ(x)
WinPcap的最新版本提供了一个进一步的Ҏ(gu)来将数据包存储到盘Q就是用pcap_live_dump()函数。他需要三个参敎ͼ(x)一个文件名Q和一?/p>
该文件允许的最大长度还有一个参数是该文件所允许的最大包的数量。对q些参数来说 0 意味着没有最大限制。注Q我们可以在调用
pcap_live_dump()前设|一个过滤器来定义哪些数据报需要存储?/p>
pcap_live_dump() 是非d的,所以他?x)立刻返回?x)数据的存储过E将?x)异步的q行Q直到文件到达了指定的最大长度或最大数据报的数目ؓ(f)
止?br>应用E序能够用pcap_live_dump_ended()来等(g)查是否数据存储完毕,如果你指定的最大长度参数和数据报数量ؓ(f)0Q那么该操作永q阻塞?/p>
pcap_live_dump() ?pcap_dump()的不同从讄的最大极限来说就是性能的问题。pcap_live_dump()采用WinPcap NPF驱动来从内核U的层次
上向文g中写数据Q从而内存拯最化?br>昄Q这些特点当前在其他的操作系l下是不能够实现的,pcap_live_dump()是WinPcap所Ҏ(gu)的,而且只能够应用于Win32环境.
八)(j)发送数据包
管WinPcap从名字上来看表明他的主要目的是捕h据包Q但是他qؓ(f)原始|络提供了一些其他的功能Q其?/p>
之一是用户可以发送数据包Q这也就是本节的主要内容。需要指出的是原来的libpcapq不提供数据?的发
送功能,q里所说的功能都是WinPcap的扩展功能,所以ƈ不能够工作在UNIX下?/p>
用pcap_sendpacket来发送一个数据包Q?/p>
下面的代码是一个最单的发送数据的Ҏ(gu)。打开一个适配器后可以用 pcap_sendpacketQ)(j)来手工发送一
个数据包了。这个函数需要的参数Q一个装有要发送数据的~冲区,要发送的长度Q和一个适配器。注意缓?/p>
Z的数据将不被内核协议处理Q只是作为最原始的数据流被发送,所以我门必d充好正确的协议头以便?/p>
的数据发送?/p>
E序代码Q?[ 复制代码到剪贴板 ]
#include <stdlib.h>
#include <stdio.h>
#include <pcap.h>
void usage();
void main(int argc, char **argv) {
pcap_t *fp;
char error[PCAP_ERRBUF_SIZE];
u_char packet[100];
int i;
/* Check the validity of the command line */
if (argc != 2)
{
printf("usage: %s inerface", argv[0]);
return;
}
/* 打开指定|卡 */
if((fp = pcap_open_live(argv[1], 100, 1, 1000, error) ) == NULL)
{
fprintf(stderr,"\nError opening adapter: %s\n", error);
return;
}
/* 假设|络环境为ethernetQ我门把目的MAC设ؓ(f)1:1:1:1:1:1*/
packet[0]=1;
packet[1]=1;
packet[2]=1;
packet[3]=1;
packet[4]=1;
packet[5]=1;
/* 假设源MAC?2:2:2:2:2:2 */
packet[6]=2;
packet[7]=2;
packet[8]=2;
packet[9]=2;
packet[10]=2;
packet[11]=2;
/* 填充发送包的剩余部?*/
for(i=12;i<100;i++){
packet[i]=i%256;
}
/* 发送包 */
pcap_sendpacket(fp,
packet,
100);
return;
}
发送队列:(x)
pcap_sendpacket()只是提供一个简单的直接的发送数据的Ҏ(gu)Q而发送队列提供一个高U的强大的和最优的?/p>
制来发送一l数据包Q队列实际上是一个装有要发送数据的一个容器,他有一个最大值来表明他所能够 容纳?/p>
最大比Ҏ(gu)?br>pcap_sendqueue_alloc()用来创徏一个队列,q指定该队列的大?br>一旦队列被创徏可以调用pcap_sendqueue_queue()来将数据存储到队列中Q这个函数接受一个带有时间戳?/p>
长度的pcap_pkthdrl构和一个装有数据报的缓冲区。这些参数同样也应用于pcap_next_ex() ?/p>
pcap_handler()中,所以给要捕L(fng)数据包或要从文gd的数据包排队是pcap_sendqueue_queue()的事?/p>
了?br>WinPcap调用pcap_sendqueue_transmit()来发送数据包Q注意,W三个参数如果非Ӟ那么发送将是同步的Q?/p>
q将站用很大的CPU资源Q因为发生在内核驱动的同步发送是通过"brute force"loops的,但是一般情况下能够
_到微U?br>需要指出的是用pcap_sendqueue_transmit()来发送比用pcap_sendpacket()来发送一pd的数据要高效的多Q?/p>
因ؓ(f)他的数据是在内核U上被缓册Ӏ?br>当不再需要队列时可以用pcap_sendqueue_destroy()来释放掉所有的队列资源?/p>
下面的代码演CZ如何用发送队列来发送数据,该示例用pcap_open_offline()打开了一个文Ӟ然后数?/p>
从文件移动到已分配的队列Q这时就同步C送队列(如果用户指定为同步的话)(j)?/p>
E序代码Q?[ 复制代码到剪贴板 ]
/*
* Copyright (c) 1999 - 2002
* Politecnico di Torino. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the Politecnico
* di Torino, and its contributors.‘‘ Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS‘‘ AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#include <stdlib.h>
#include <stdio.h>
#include <pcap.h>
void usage();
void main(int argc, char **argv) {
pcap_t *indesc,*outdesc;
char error[PCAP_ERRBUF_SIZE];
FILE *capfile;
int caplen,
sync;
u_int res;
pcap_send_queue *squeue;
struct pcap_pkthdr *pktheader;
u_char *pktdata;
/* Check the validity of the command line */
if (argc <= 2 || argc >= 5)
{
usage();
return;
}
/* 得到文g长度 */
capfile=fopen(argv[1],"rb");
if(!capfile){
printf("Capture file not found!\n");
return;
}
fseek(capfile , 0, SEEK_END);
caplen= ftell(capfile)- sizeof(struct pcap_file_header);
fclose(capfile);
/* (g)查确保时间戳被忽?*/
if(argc == 4 && argv[3][0] == ‘s‘)
sync = TRUE;
else
sync = FALSE;
/* Open the capture */
if((indesc = pcap_open_offline(argv[1], error)) == NULL){
fprintf(stderr,"\nError opening the input file: %s\n", error);
return;
}
/* Open the output adapter */
if((outdesc = pcap_open_live(argv[2], 100, 1, 1000, error) ) == NULL)
{
fprintf(stderr,"\nError opening adapter: %s\n", error);
return;
}
/* (g)MACcd */
if(pcap_datalink(indesc) != pcap_datalink(outdesc)){
printf("Warning: the datalink of the capture differs from the one of the selected
interface.\n");
printf("Press a key to continue, or CTRL+C to stop.\n");
getchar();
}
/* l对列分配空?*/
squeue = pcap_sendqueue_alloc(caplen);
/* 从文件获得包来填充队?*/
while((res = pcap_next_ex( indesc, &pktheader, &pktdata)) == 1){
if(pcap_sendqueue_queue(squeue, pktheader, pktdata) == -1){
printf("Warning: packet buffer too small, not all the packets will be sent.\n");
break;
}
}
if(res == -1){
printf("Corrupted input file.\n");
pcap_sendqueue_destroy(squeue);
return;
}
/* 传送队列数?*/
if((res = pcap_sendqueue_transmit(outdesc, squeue, sync)) < squeue->len)
{
printf("An error occurred sending the packets: %s. Only %d bytes were sent\n", error,
res);
}
/* free the send queue */
pcap_sendqueue_destroy(squeue);
return;
}
void usage()
{
printf("\nSendcap, sends a libpcap/tcpdump capture file to the net. Copyright (C) 2002 Loris
Degioanni.\n");
printf("\nUsage:\n");
printf("\t sendcap file_name adapter [s]\n");
printf("\nParameters:\n");
printf("\nfile_name: the name of the dump file that will be sent to the network\n");
printf("\nadapter: the device to use. Use \"WinDump -D\" for a list of valid devices\n");
printf("\ns: if present, forces the packets to be sent synchronously, i.e. respecting the
timestamps in the dump file. This option will work only under Windows NTx.\n\n");
exit(0);
}
?ji)?j)攉q统计网l流?br>q一节将展示WinPcap的另一高功能Q收集网l流量的l计信息。WinPcap的统计引擎在内核层次上对到来的数据进行分cR如果你想了解更
多的l节h看NPF驱动指南?br>Z利用q个功能来监视网l,我门的程序必L开一个网卡ƈ用pcap_setmode()其讄为统计模式。注意pcap_setmode()要用 MODE_STAT
来将|卡讄为统计模式?br>在统计模式下~写一个程序来监视TCP量只是几行代码的事情,下面的例子说明了如何来实现该功能的?
E序代码Q?[ 复制代码到剪贴板 ]
/*
* Copyright (c) 1999 - 2002
* Politecnico di Torino. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the Politecnico
* di Torino, and its contributors.‘‘ Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS‘‘ AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#include <stdlib.h>
#include <stdio.h>
#include <pcap.h>
void usage();
void dispatcher_handler(u_char *,
const struct pcap_pkthdr *, const u_char *);
void main(int argc, char **argv) {
pcap_t *fp;
char error[PCAP_ERRBUF_SIZE];
struct timeval st_ts;
u_int netmask;
struct bpf_program fcode;
/* Check the validity of the command line */
if (argc != 2)
{
usage();
return;
}
/* Open the output adapter */
if((fp = pcap_open_live(argv[1], 100, 1, 1000, error) ) == NULL)
{
fprintf(stderr,"\nError opening adapter: %s\n", error);
return;
}
/* Don‘t care about netmask, it won‘t be used for this filter */
netmask=0xffffff;
//compile the filter
if(pcap_compile(fp, &fcode, "tcp", 1, netmask) <0 ){
fprintf(stderr,"\nUnable to compile the packet filter. Check the syntax.\n");
/* Free the device list */
return;
}
//set the filter
if(pcap_setfilter(fp, &fcode)<0){
fprintf(stderr,"\nError setting the filter.\n");
/* Free the device list */
return;
}
/* 网卡设|ؓ(f)l计模式 */
pcap_setmode(fp, MODE_STAT);
printf("TCP traffic summary:\n");
/* Start the main loop */
pcap_loop(fp, 0, dispatcher_handler, (PUCHAR)&st_ts);
return;
}
void dispatcher_handler(u_char *state, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
struct timeval *old_ts = (struct timeval *)state;
u_int delay;
LARGE_INTEGER Bps,Pps;
struct tm *ltime;
char timestr[16];
/* 从最q一ơ的采样以微U计gq时?*/
/* This value is obtained from the timestamp that the associated with the sample. */
delay=(header->ts.tv_sec - old_ts->tv_sec) * 1000000 - old_ts->tv_usec + header->ts.tv_usec;
/* 获得每秒的比Ҏ(gu) */
Bps.QuadPart=(((*(LONGLONG*)(pkt_data + 8)) * 8 * 1000000) / (delay));
/* ^ ^
| |
| |
| |
converts bytes in bits -- |
|
delay is expressed in microseconds --
*/
/* 获得每秒的数据包?*/
Pps.QuadPart=(((*(LONGLONG*)(pkt_data)) * 1000000) / (delay));
/* 时间戳转变为可ȝ标准格式 */
ltime=localtime(&header->ts.tv_sec);
strftime( timestr, sizeof timestr, "%H:%M:%S", ltime);
/* Print timestamp*/
printf("%s ", timestr);
/* Print the samples */
printf("BPS=%I64u ", Bps.QuadPart);
printf("PPS=%I64u\n", Pps.QuadPart);
//store current timestamp
old_ts->tv_sec=header->ts.tv_sec;
old_ts->tv_usec=header->ts.tv_usec;
}
void usage()
{
printf("\nShows the TCP traffic load, in bits per second and packets per second.\nCopyright (C) 2002 Loris Degioanni.\n");
printf("\nUsage:\n");
printf("\t tcptop adapter\n");
printf("\t You can use \"WinDump -D\" if you don‘t know the name of your adapters.\n");
exit(0);
}
在设|ؓ(f)l计模式前可以设|一个过滤器来指定要捕获的协议包。如果没有设|过滤器那么整个|络数据都将被监视。一旦设|了 qo(h)器就?/p>
以调用pcap_setmode()来设|ؓ(f)l计模式Q之后网卡开始工作在l计模式下?br>需要指出的是pcap_open_live()的第四个参数(to_ms)定义了采L(fng)间隔Q回调函数pcap_loop()每隔一定间隔就获取一ơ采L(fng)计,q个采样
被装入pcap_loop()的第二和W三个参敎ͼq程如下图所C:(x)
______________
|struct timeval ts |
|_____________|
|bpf_u_int32 |
|caplen=16 | struct pcap_pkthdr*
|_____________| (参数2)
| bpf_u_int32 |
| len=16 |
|_____________|
__________________________
|large_integer Accepted packet |
|_________________________| uchar *
| large_integer Accepted bits | (参数3)
|_________________________|
用两?4位的计数器分别记录最q一ơ间隔数据包数量和比Ҏ(gu)量?br>本例子中Q网卡打开时设|超时ؓ(f)1000毫秒Q也是说dispatcher_handler()每隔1U就被调用一ơ。过滤器?/p>
讄为只监视TCP包,然后pcap_setmode() and pcap_loop()被调用,注意一个指向timeval的指?作ؓ(f)参数?/p>
送到pcap_loop()。这个timevall构用来存储个旉戳以计算两次采样的时间间隔?br>dispatcher_handler()用该间隔来获取每U的比特数和数据包数Qƈ把着两个数显C在昄器上?br>最后指出的是目前这个例子是比Q何一个利用传l方法在用户层统计的包捕L(fng)序都高效。因为统计模式需?/p>
最数量的数据拯和上下环境交换,同时q有最的内存需求,所以CPU是最优的?/p>
用PCAP写应用程序的W一件事往往是要获得本地的|卡列表。PCAP提供了pcap_findalldevs()q个函数来实现此功能Q这个APIq回一?/p>
pcap_ifl构的连表,q表的每内定w含有全面的网卡信息:(x)其是字D名字和含有名字的描qC?qing)有关驱动器的易M息?/p>
得到|络驱动列表的程序如下:(x)
E序代码Q?[ 复制代码到剪贴板 ]
#include "pcap.h"
main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int i=0;
char errbuf[PCAP_ERRBUF_SIZE];
/* q个API用来获得|卡 的列?*/
if (pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
/* 昄列表的响应字D늚内容 */
for(d=alldevs;d;d=d->next)
{
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else printf(" (No description available)\n");
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
return;
}
/* We don‘t need any more the device list. Free it */
pcap_freealldevs(alldevs);
}
[code]有关q段E序的一些说明:(x)
首先pcap_findalldevs()同其他的libpcap函数一h一个errbuf参数Q当有异常情况发生时Q这个参C(x)被PCAP填充为某个特定的错误字串?/p>
再次QUNIX也同h供pcap_findalldevs()q个函数Q但是请注意q所有的pȝ都支持libpcap提供的网l程序接口。所以我门要惛_出合?/p>
的程序就必须考虑到这些情况(pȝ不能够返回一些字D늚描述信息Q,在这U情况下我门应该l出cM"No description available"q样?/p>
提示?/p>
最后结束时别忘了用pcap_freealldevs()释放掉内存资源?/p>
[code]#include "pcap.h"
main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int i=0;
char errbuf[PCAP_ERRBUF_SIZE];
/* Retrieve the device list */
if (pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
/* Print the list */
for(d=alldevs;d;d=d->next)
{
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else printf(" (No description available)\n");
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
return;
}
/* We don‘t need any more the device list. Free it */
pcap_freealldevs(alldevs);
}
二)(j)获得已安装网l驱动器的高U信?/p>
在第一章中演示了如何获得已存在适配器的静态信息。实际上WinPcap同样也提供其他的高信息Q特别是 pcap_findalldevs()q个函数q回
的每?pcap_ifl构体都同样包含一个pcap_addrl构的列表,他包含:(x)
一个地址列表Q一个掩码列表,一个广播地址列表和一个目的地址列表?br>下面的例子通过一个ifprint()函数打印Zpcap_ifl构的的所有字D信息,该程序对每一个pcap_findalldevs()所q回的pcap_ifl构循环?/p>
用ifprint()来显Cl的字段信息?/p>
E序代码Q?[ 复制代码到剪贴板 ]
#include "pcap.h"
#ifndef WIN32
#include <sys/socket.h>
#include <netinet/in.h>
#else
#include <winsock.h>
#endif
void ifprint(pcap_if_t *d);
char *iptos(u_long in);
int main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
char errbuf[PCAP_ERRBUF_SIZE+1];
/* 获得|卡的列?*/
if (pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n",errbuf);
exit(1);
}
/* 循环调用ifprint() 来显Cpcap_ifl构的信?/
for(d=alldevs;d;d=d->next)
{
ifprint(d);
}
return 1;
}
/* Print all the available information on the given interface */
void ifprint(pcap_if_t *d)
{
pcap_addr_t *a;
/* Name */
printf("%s\n",d->name);
/* Description */
if (d->description)
printf("\tDescription: %s\n",d->description);
/* Loopback Address*/
printf("\tLoopback: %s\n",(d->flags & PCAP_IF_LOOPBACK)?"yes":"no");
/* IP addresses */
for(a=d->addresses;a;a=a->next) {
printf("\tAddress Family: #%d\n",a->addr->sa_family);
/*关于 sockaddr_in l构请参考其他的|络~程?/
switch(a->addr->sa_family)
{
case AF_INET:
printf("\tAddress Family Name: AF_INET\n");//打印|络地址cd
if (a->addr)//打印IP地址
printf("\tAddress: %s\n",iptos(((struct sockaddr_in *)a->addr)->sin_addr.s_addr));
if (a->netmask)//打印掩码
printf("\tNetmask: %s\n",iptos(((struct sockaddr_in *)a->netmask)->sin_addr.s_addr));
if (a->broadaddr)//打印q播地址
printf("\tBroadcast Address: %s\n",iptos(((struct sockaddr_in *)a->broadaddr)->sin_addr.s_addr));
if (a->dstaddr)//目的地址
printf("\tDestination Address: %s\n",iptos(((struct sockaddr_in *)a->dstaddr)->sin_addr.s_addr));
break;
default:
printf("\tAddress Family Name: Unknown\n");
break;
}
}
printf("\n");
}
/* 一个unsigned long 型的IP转换为字W串cd的IP */
#define IPTOSBUFFERS 12
char *iptos(u_long in)
{
static char output[IPTOSBUFFERS][3*4+3+1];
static short which;
u_char *p;
p = (u_char *)∈
which = (which + 1 == IPTOSBUFFERS ? 0 : which + 1);
sprintf(output[which], "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
return output[which];
}
三)(j)打开|卡捕获数据?/p>
现在我门已经知道了如何去获得|卡的信息现在就让我们开始真正的工作Q打开|卡q捕h据流。在q一?/p>
里我们将写一个打印流l网l的每个数据包信息的E序。打开|卡的功能是通过pcap_open_live()来实现的?/p>
有三个参数snaplen promisc to_ms?/p>
snaplen用于指定所捕获包的特定部分Q在一些系l上Q象xBSD and Win32{)(j)驱动只给出所捕获数据包的一部分而不是全部,q样减了?/p>
贝数据的数量从而提高了包捕L(fng)效率?/p>
promisc指明|卡处于h模式Q在正常情况下网卡只接受d它的包而去往其他L的数据包则被忽略。相反当|卡处于h 模式时他接
收所有的经它的数据包:(x)q就意味着在共享介质的情况下我门可以捕?/p>
到其它主机的数据包。大部分的包捕获E序都将h模式设ؓ(f)默认Q所有我们在下面的例子里也将|卡设ؓ(f)h模式。to_ms 参数指定L?/p>
的超时控Ӟ时以毫U计。当在超时时间内|卡上没有数据到来时对网卡的L作将q回Q如pcap_dispatch() or pcap_next_ex(){函?/p>
Q。还有,如果|卡处于l计模式下(h?#8220;l计和收集网l数据流一?#8221;Qto_msq定义了l计的时间间隔。如果该参数?那么意味着?/p>
有超时控Ӟ对网卡的L作在没有数据到来是将永远堵塞。如果ؓ(f)-1那么对网卡的L作将立即q回不管有没有数据可诅R?br>E序代码Q?[ 复制代码到剪贴板 ]
#include "pcap.h"
/* prototype of the packet handler */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);
main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
pcap_t *adhandle;
char errbuf[PCAP_ERRBUF_SIZE];
/* 获得|卡的列?*/
if (pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
/* 打印|卡信息 */
for(d=alldevs; d; d=d->next)
{
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
return -1;
}
printf("Enter the interface number (1-%d):",i);
scanf("%d", &inum); //输入要选择打开的网卡号
if(inum < 1 || inum > i) //判断L(fng)合法?br>{
printf("\nInterface number out of range.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
/* 扑ֈ要选择的网卡结?*/
for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
/* 打开选择的网?*/
if ( (adhandle= pcap_open_live(d->name, // 讑֤名称
65536, // portion of the packet to capture.
// 65536 grants that the whole packet will be captured on all the MACs.
1, // h模式
1000, // 读超时ؓ(f)1U?br>errbuf // error buffer
) ) == NULL)
{
fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
printf("\nlistening on %s...\n", d->description);
/* At this point, we don‘t need any more the device list. Free it */
pcap_freealldevs(alldevs);
/* 开始捕获包 */
pcap_loop(adhandle, 0, packet_handler, NULL);
return 0;
}
/* Ҏ(gu)一个到来的数据包调用该函数 */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
struct tm *ltime;
char timestr[16];
/* 时间戳转变为易ȝ标准格式*/
ltime=localtime(&header->ts.tv_sec);
strftime( timestr, sizeof timestr, "%H:%M:%S", ltime);
printf("%s,%.6d len:%d\n", timestr, header->ts.tv_usec, header->len);
}
一旦网卡被打开Q旧可以调用pcap_dispatch() 或pcap_loop()q行数据的捕Pq两个函数的功能十分怼不同的是pcap_ dispatch()可以?/p>
被阻塞,而pcap_loop()在没有数据流到达时将d。在q个单的例子里用pcap_loop()p够了Q而在一些复杂的E序里往往?/p>
pcap_dispatch()?br>Once the adapter is opened, the capture can be started with pcap_dispatch() or pcap_loop(). These
two functions are very similar, the difference is that pcap_ dispatch() is granted to return when
the expires while pcap_loop() doesn‘t return until cnt packets have been captured, so it can
block for an arbitrary period on a few utilized network. pcap_loop() is enough for the purpose of
this sample, while pcap_dispatch() is normally used in more complex program.
q两个函数都有返回的参数Q一个指向某个函敎ͼ该函数用来接受数据如该程序中的packet_handlerQ的指针Qlibpcap调用该函数对每个从网
上到来的数据包进行处理和接收数据包。另一个参数是带有旉戛_包长{信息的头部Q最后一个是含有所有协议头部数据报的实际数据。注
意MAC的冗余校验码一般不出现Q因为当一个桢到达q被认后网卡就把它删除了,同样需要注意的是大多数|卡?x)丢掉冗余码出错的数据包Q?/p>
所以WinPcap一般不能够捕获q些出错的数据报?/p>
刚才的例子里从pcap_pkthdr中提取出了每个数据报的时间戳和长度ƈ在显C器上打印出了他们?br>
]]>