WinPcap和Libpcap的最強(qiáng)大的特性之一，是擁有過濾數(shù)據(jù)包的引擎。 它提供了有效的方法去獲取網(wǎng)絡(luò)中的某些數(shù)據(jù)包，這也是WinPcap捕獲機(jī)制中的一個(gè)組成部分。 用來過濾數(shù)據(jù)包的函數(shù)是?pcap_compile()?和pcap_setfilter()?。

pcap_compile()?它將一個(gè)高層的布爾過濾表達(dá)式編譯成一個(gè)能夠被過濾引擎所解釋的低層的字節(jié)碼。有關(guān)布爾過濾表達(dá)式的語法可以參見?Filtering expression syntax?這一節(jié)的內(nèi)容。

pcap_setfilter()?將一個(gè)過濾器與內(nèi)核捕獲會(huì)話向關(guān)聯(lián)。當(dāng)?pcap_setfilter()?被調(diào)用時(shí)，這個(gè)過濾器將被應(yīng)用到來自網(wǎng)絡(luò)的所有數(shù)據(jù)包，并且，所有的符合要求的數(shù)據(jù)包 (即那些經(jīng)過過濾器以后，布爾表達(dá)式為真的包) ，將會(huì)立即復(fù)制給應(yīng)用程序。

現(xiàn)在，我們可以捕捉并過濾網(wǎng)絡(luò)流量了，那就讓我們學(xué)以致用，來做一個(gè)簡單使用的程序吧。

在本講中，我們將會(huì)利用上一講的一些代碼，來建立一個(gè)更實(shí)用的程序。 本程序的主要目標(biāo)是展示如何解析所捕獲的數(shù)據(jù)包的協(xié)議首部。這個(gè)程序可以稱為UDPdump，打印一些網(wǎng)絡(luò)上傳輸?shù)腢DP數(shù)據(jù)的信息。

我們選擇分析和現(xiàn)實(shí)UDP協(xié)議而不是TCP等其它協(xié)議，是因?yàn)樗绕渌膮f(xié)議更簡單，作為一個(gè)入門程序范例，是很不錯(cuò)的選擇。讓我們看看代碼：

?

[cpp]?view plaincopy

#include?"pcap.h"??

??

/*?4字節(jié)的IP地址?*/??

typedef?struct?ip_address{??

????u_char?byte1;??

????u_char?byte2;??

????u_char?byte3;??

????u_char?byte4;??

}ip_address;??

??

/*?IPv4?首部?*/??

typedef?struct?ip_header{??

????u_char??ver_ihl;????????//?版本?(4?bits)?+?首部長度?(4?bits)??

????u_char??tos;????????????//?服務(wù)類型(Type?of?service)???

????u_short?tlen;???????????//?總長(Total?length)???

????u_short?identification;?//?標(biāo)識(shí)(Identification)??

????u_short?flags_fo;???????//?標(biāo)志位(Flags)?(3?bits)?+?段偏移量(Fragment?offset)?(13?bits)??

????u_char??ttl;????????????//?存活時(shí)間(Time?to?live)??

????u_char??proto;??????????//?協(xié)議(Protocol)??

????u_short?crc;????????????//?首部校驗(yàn)和(Header?checksum)??

????ip_address??saddr;??????//?源地址(Source?address)??

????ip_address??daddr;??????//?目的地址(Destination?address)??

????u_int???op_pad;?????????//?選項(xiàng)與填充(Option?+?Padding)??

}ip_header;??

??

/*?UDP?首部*/??

typedef?struct?udp_header{??

????u_short?sport;??????????//?源端口(Source?port)??

????u_short?dport;??????????//?目的端口(Destination?port)??

????u_short?len;????????????//?UDP數(shù)據(jù)包長度(Datagram?length)??

????u_short?crc;????????????//?校驗(yàn)和(Checksum)??

}udp_header;??

??

/*?回調(diào)函數(shù)原型?*/??

void?packet_handler(u_char?*param,?const?struct?pcap_pkthdr?*header,?const?u_char?*pkt_data);??

??

??

int?main()??

{??

pcap_if_t?*alldevs;??

pcap_if_t?*d;??

int?inum;??

int?i=0;??

pcap_t?*adhandle;??

char?errbuf[PCAP_ERRBUF_SIZE];??

u_int?netmask;??

char?packet_filter[]?=?"ip?and?udp";??

struct?bpf_program?fcode;??

??

????/*?獲得設(shè)備列表?*/??

????if?(pcap_findalldevs_ex(PCAP_SRC_IF_STRING,?NULL,?&alldevs,?errbuf)?==?-1)??

????{??

????????fprintf(stderr,"Error?in?pcap_findalldevs:?%s/n",?errbuf);??

????????exit(1);??

????}??

??????

????/*?打印列表?*/??

????for(d=alldevs;?d;?d=d->next)??

????{??

????????printf("%d.?%s",?++i,?d->name);??

????????if?(d->description)??

????????????printf("?(%s)/n",?d->description);??

????????else??

????????????printf("?(No?description?available)/n");??

????}??

??

????if(i==0)??

????{??

????????printf("/nNo?interfaces?found!?Make?sure?WinPcap?is?installed./n");??

????????return?-1;??

????}??

??????

????printf("Enter?the?interface?number?(1-%d):",i);??

????scanf("%d",?&inum);??

??????

????if(inum?<?1?||?inum?>?i)??

????{??

????????printf("/nInterface?number?out?of?range./n");??

????????/*?釋放設(shè)備列表?*/??

????????pcap_freealldevs(alldevs);??

????????return?-1;??

????}??

??

????/*?跳轉(zhuǎn)到已選設(shè)備?*/??

????for(d=alldevs,?i=0;?i<?inum-1?;d=d->next,?i++);??

??????

????/*?打開適配器?*/??

????if?(?(adhandle=?pcap_open(d->name,??//?設(shè)備名??

?????????????????????????????65536,?????//?要捕捉的數(shù)據(jù)包的部分重生之大文豪www.dwhao.com???

????????????????????????????????????????//?65535保證能捕獲到不同數(shù)據(jù)鏈路層上的每個(gè)數(shù)據(jù)包的全部內(nèi)容??

?????????????????????????????PCAP_OPENFLAG_PROMISCUOUS,?????????//?混雜模式??

?????????????????????????????1000,??????//?讀取超時(shí)時(shí)間??

?????????????????????????????NULL,??????//?遠(yuǎn)程機(jī)器驗(yàn)證??

?????????????????????????????errbuf?????//?錯(cuò)誤緩沖池??

?????????????????????????????)?)?==?NULL)??

????{??

????????fprintf(stderr,"/nUnable?to?open?the?adapter.?%s?is?not?supported?by?WinPcap/n");??

????????/*?釋放設(shè)備列表?*/??

????????pcap_freealldevs(alldevs);??

????????return?-1;??

????}??

??????

????/*?檢查數(shù)據(jù)鏈路層，為了簡單，我們只考慮以太網(wǎng)?*/??

????if(pcap_datalink(adhandle)?!=?DLT_EN10MB)??

????{??

????????fprintf(stderr,"/nThis?program?works?only?on?Ethernet?networks./n");??

????????/*?釋放設(shè)備列表?*/??

????????pcap_freealldevs(alldevs);??

????????return?-1;??

????}??

??????

????if(d->addresses?!=?NULL)??

????????/*?獲得接口第一個(gè)地址的掩碼?*/??

????????netmask=((struct?sockaddr_in?*)(d->addresses->netmask))->sin_addr.S_un.S_addr;??

????else??

????????/*?如果接口沒有地址，那么我們假設(shè)一個(gè)C類的掩碼?*/??

????????netmask=0xffffff;???

??

??

????//編譯過濾器??

????if?(pcap_compile(adhandle,?&fcode,?packet_filter,?1,?netmask)?<0?)??

????{??

????????fprintf(stderr,"/nUnable?to?compile?the?packet?filter.?Check?the?syntax./n");??

????????/*?釋放設(shè)備列表?*/??

????????pcap_freealldevs(alldevs);??

????????return?-1;??

????}??

??????

????//設(shè)置過濾器??

????if?(pcap_setfilter(adhandle,?&fcode)<0)??

????{??

????????fprintf(stderr,"/nError?setting?the?filter./n");??

????????/*?釋放設(shè)備列表?*/??

????????pcap_freealldevs(alldevs);??

????????return?-1;??

????}??

??????

????printf("/nlistening?on?%s.../n",?d->description);??

??????

????/*?釋放設(shè)備列表?*/??

????pcap_freealldevs(alldevs);??

??????

????/*?開始捕捉?*/??

????pcap_loop(adhandle,?0,?packet_handler,?NULL);??

??????

????return?0;??

}??

??

/*?回調(diào)函數(shù)，當(dāng)收到每一個(gè)數(shù)據(jù)包時(shí)會(huì)被libpcap所調(diào)用?*/??

void?packet_handler(u_char?*param,?const?struct?pcap_pkthdr?*header,?const?u_char?*pkt_data)??

{??

????struct?tm?*ltime;??

????char?timestr[16];??

????ip_header?*ih;??

????udp_header?*uh;??

????u_int?ip_len;??

????u_short?sport,dport;??

????time_t?local_tv_sec;??

??

????/*?將時(shí)間戳轉(zhuǎn)換成可識(shí)別的格式?*/??

????local_tv_sec?=?header->ts.tv_sec;??

????ltime=localtime(&local_tv_sec);??

????strftime(?timestr,?sizeof?timestr,?"%H:%M:%S",?ltime);??

??

????/*?打印數(shù)據(jù)包的時(shí)間戳和長度?*/??

????printf("%s.%.6d?len:%d?",?timestr,?header->ts.tv_usec,?header->len);??

??

????/*?獲得IP數(shù)據(jù)包頭部的位置?*/??

????ih?=?(ip_header?*)?(pkt_data?+??

????????14);?//以太網(wǎng)頭部長度??

??

????/*?獲得UDP首部的位置?茶葉www.aichar.com*/??

????ip_len?=?(ih->ver_ihl?&?0xf)?*?4;??

????uh?=?(udp_header?*)?((u_char*)ih?+?ip_len);??

??

????/*?將網(wǎng)絡(luò)字節(jié)序列轉(zhuǎn)換成主機(jī)字節(jié)序列?*/??

????sport?=?ntohs(?uh->sport?);??

????dport?=?ntohs(?uh->dport?);??

??

????/*?打印IP地址和UDP端口?*/??

????printf("%d.%d.%d.%d.%d?->?%d.%d.%d.%d.%d/n",??

????????ih->saddr.byte1,??

????????ih->saddr.byte2,??

????????ih->saddr.byte3,??

????????ih->saddr.byte4,??

????????sport,??

????????ih->daddr.byte1,??

????????ih->daddr.byte2,??

????????ih->daddr.byte3,??

????????ih->daddr.byte4,??

????????dport);??

}??

?

?

轉(zhuǎn)載于:https://www.cnblogs.com/jiangyea/p/3530149.html

總結(jié)

以上是生活随笔為你收集整理的winpcap编程 解析数据包的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。