libpcap是开源库,主要完成数据包捕获功能
下面是自己的测试例子:
原理展示测试:
#include#define BUFSIZE 1024int main(){ char error_content[PCAP_ERRBUF_SIZE]; struct pcap_pkthdr protocol_header; pcap_t *pcap_handle; struct bpf_program bpf_filter; char bpf_filter_string[] = ""; const u_char *packet_content; bpf_u_int32 net_mask; bpf_u_int32 net_ip; char *net_interface; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZE,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); packet_content = pcap_next(pcap_handle,&protocol_header); printf("The capture data is: %s\n",packet_content); printf("Capture a packet from : %s\n",net_interface); printf("The packet length is : %d\n",protocol_header.len); pcap_close(pcap_handle); return 0;}
#include#include typedef u_int32_t in_addr_t;/*struct in_addr{ in_addr_t s_addr;};*/int main(){ char error_content[PCAP_ERRBUF_SIZE]; struct in_addr net_ip_address; struct in_addr net_mask_address; char *net_interface; char *net_ip_string; char *net_mask_string; u_int32_t net_ip; u_int32_t net_mask; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); printf("Network Interface is:%s\n",net_interface); net_ip_address.s_addr = net_ip; net_ip_string = inet_ntoa(net_ip_address); printf("Network IP Address is : %s\n",net_ip_string); net_mask_address.s_addr = net_mask; net_mask_string = inet_ntoa(net_mask_address); printf("Network Mask Address is: %s\n",net_mask_string); return 0;}
#include "pcap.h"void packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content){ static int packet_number = 1; printf("The %d packet is captured.\n",packet_number); printf("%s\n",argument); packet_number ++;}int main(){ pcap_t * pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "ip"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); pcap_loop(pcap_handle,10,packet_callback,"This is argument!heihei!"); pcap_close(pcap_handle); return 0;}
以太网的捕获:
#include#include struct ether_header{ u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type;};int main(){ char error_content[PCAP_ERRBUF_SIZE]; pcap_t *pcap_handle; const u_char *packet_content; u_char *mac_string; u_short ethernet_type; bpf_u_int32 net_mask; bpf_u_int32 net_ip; char *net_interface; struct pcap_pkthdr protocol_header; struct ether_header *ethernet_protocol; struct bpf_program bpf_filter; char bpf_filter_string[] = "ip"; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle, &bpf_filter, bpf_filter_string, 0, net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return ; packet_content = pcap_next(pcap_handle,&protocol_header); printf("--------------------*****------------------\n"); printf("Capture a Packet from net_interface: \n"); printf(">>> %s \n",net_interface); printf("Capture Time is: \n");// printf(">>> %s\n",ctime((const time_t *)&protocol_header.ts.tv_sec)); printf(">>> %s\n",ctime((const time_t*)(&protocol_header.ts.tv_sec))); printf("Packet Length is:\n"); printf(">>> %d\n",protocol_header.len); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is :\n"); ethernet_type = ntohs(ethernet_protocol->ether_type); printf(">>> %04x\n",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol\n"); break; case 0x0806: printf("The network layer is ARP protocol\n"); break; case 0x8035: printf("The network layer is RARP protocol\n"); break; default: break; } printf("Mac Source Address is : \n"); mac_string = ethernet_protocol->ether_shost; printf(">>> %02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3),*(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is :\n"); mac_string = ethernet_protocol->ether_dhost; printf(">>> %02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3),*(mac_string+4),*(mac_string+5)); printf("------------------------*****--------------------------\n"); pcap_close(pcap_handle); return 0;}
#include#include struct ether_header{ u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type;};void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr* packet_header,const u_char *packet_content){ u_short ethernet_type; struct ether_header * ethernet_protocol; u_char *mac_string; char *net_interface = (char *)argument; printf("---------------------*****----------------------\n"); printf("Capture a Packet from net_interface:\n"); printf(">>> %s\n",net_interface); printf("Capture Time is: \n"); printf(">>> %s\n",ctime((const time_t*)&packet_header->ts.tv_sec)); printf("Packet length is:\n"); printf(">>> %d\n",packet_header->len); ethernet_protocol = (struct ether_header*)packet_content; printf("Ethernet type is :\n"); ethernet_type = ntohs(ethernet_protocol->ether_type); printf(">>> %04x\n",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol\n"); break; case 0x0806: printf("The network layer is ARP protocol\n"); break; case 0x8035: printf("The network layer is RARP protocol\n"); break; default: break; } printf("Mac Source Address is :\n"); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is :\n"); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("---------------------*****----------------------\n");}int main(){ char error_content[PCAP_ERRBUF_SIZE]; pcap_t *pcap_handle; const u_char *packet_content; bpf_u_int32 net_mask; bpf_u_int32 net_ip; u_char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "ip"; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,net_interface); pcap_close(pcap_handle); return 0;}
#include#include #include #include struct ether_header{ u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type;};typedef u_int32_t in_addr_t;/*struct in_addr{ in_addr_t s_addr;};*/struct arp_header{ u_int16_t arp_hardware_type; u_int16_t arp_protocol_type; u_int8_t arp_hardware_length; u_int8_t arp_protocol_length; u_int16_t arp_operation_code; u_int8_t arp_source_ethernet_address[6]; u_int8_t arp_source_ip_address[4]; u_int8_t arp_destination_ethernet_address[6]; u_int8_t arp_destination_ip_address[4];};void arp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr* packet_header,const u_char *packet_content){ struct arp_header *arp_protocol; u_short protocol_type; u_short hardware_type; u_short operation_code; u_char *mac_string; struct in_addr source_ip_address; struct in_addr destination_ip_address; u_char hardware_length; u_char protocol_length; printf("-------ARP Protocol (Netwrok Layer) -------\n"); arp_protocol = (struct arp_header *)(packet_content+14); hardware_type = ntohs(arp_protocol->arp_hardware_type); protocol_type = ntohs(arp_protocol->arp_protocol_type); operation_code = ntohs(arp_protocol->arp_operation_code); hardware_length = arp_protocol->arp_hardware_length; protocol_length = arp_protocol->arp_protocol_length; printf("ARP Hardware Type: %d\n",hardware_type); printf("ARP Protocol Type: %d\n",protocol_type); printf("ARP Hardware Length:%d\n",hardware_length); printf("ARP Protocol Length:%d\n",protocol_length); printf("ARP Operation: %d\n",operation_code); switch(operation_code) { case 1: printf("ARP Request Protocol\n"); break; case 2: printf("ARP Reply Protocol\n"); break; case 3: printf("RARP Request Protocol\n"); break; case 4: printf("RARP Reply Protocol\n"); break; default: break; } printf("Ethernet Source Address is : \n"); mac_string = arp_protocol->arp_source_ethernet_address;; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); memcpy((void*)&source_ip_address,(void*)&arp_protocol->arp_source_ip_address,sizeof(struct in_addr)); printf("Source IP Address:%s\n",inet_ntoa(source_ip_address)); printf("Ethernet Destination Address is : \n"); mac_string = arp_protocol->arp_destination_ethernet_address; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); memcpy((void*)&destination_ip_address,(void *) &arp_protocol->arp_destination_ip_address, sizeof(struct in_addr)); printf("Destination IP Address: %s\n", inet_ntoa(destination_ip_address));}void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content){ u_short ethernet_type; struct ether_header *ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf("**************************************************\n"); printf("The %d ARP packet is captured.\n",packet_number); printf("-------- Ethernet Protocol (Link Layer) --------\n"); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is:\n"); ethernet_type = ntohs(ethernet_protocol -> ether_type); printf("%04x\n",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol\n"); break; case 0x0806: printf("The network layer is ARP protocol\n"); break; case 0x8035: printf("The network layer is RARP protocol\n"); break; default: break; } printf("Mac Source Address is : \n"); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is:\n"); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0806: arp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("****************************************************\n"); packet_number ++;}int main(){ pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "arp"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface, &net_ip, &net_mask, error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return ; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0;}
Ip数据包捕获:
#include "pcap.h"#includestruct ether_header{ u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type;};/*typedef u_int32_t in_addr_t;struct in_addr{ in_addr_t s_addr;};*/struct ip_header{#ifdef WORDS_BIGENDIAN u_int8_t ip_version:4,ip_header_length:4;#else u_int8_t ip_header_length:4,ip_version:4;#endif u_int8_t ip_tos; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address;};void ip_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content){ struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; ip_protocol = (struct ip_header*)(packet_content+14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length * 4; tos = ip_protocol->ip_tos; offset = ntohs(ip_protocol->ip_off); printf("---------------IP Protocol (Network Layer) ---------------\n"); printf("IP Version:%d\n",ip_protocol->ip_version); printf("Header length:%d\n",header_length); printf("TOS: %d\n",tos); printf("Total length: %d\n",ntohs(ip_protocol->ip_length)); printf("Identification:%d\n",ntohs(ip_protocol->ip_id)); printf("Offset:%d\n",(offset & 0x1fff)*8); printf("TTL:%d\n",ip_protocol->ip_ttl); printf("Protocol:%d\n",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP\n"); break; case 17: printf("The Transport Layer Protocol is UDP\n"); break; case 1: printf("The Transport Layer Protocol is ICMP\n"); default: break; } printf("Header checksum:%d\n",checksum); printf("Source address:%s\n",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address:%s\n",inet_ntoa(ip_protocol->ip_destination_address));}void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content){ u_short ethernet_type; struct ether_header *ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf("**********************************************************************\n"); printf("The %d IP packet is captured.\n",packet_number); printf("------------------ Ethernet Protocol (Link Layer) --------------------\n"); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is:\n"); ethernet_type = ntohs(ethernet_protocol->ether_type); printf("%04x\n",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol\n"); break; case 0x0806: printf("The network layer is ARP protocol\n"); break; case 0x8035: printf("The network layer is RARP protocol\n"); break; default: break; } printf("Mac Source Address is: \n"); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is:\n"); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("*************************************************************************\n"); packet_number ++;}int main(){ pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "ip"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0 ;}
ICMP数据包(ping格式)捕获:
#include#include struct ether_header{ u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type;};struct ip_header{#if defined(WORDS_BIGENDIAN) u_int8_t ip_version:4,ip_header_length:4;#else u_int8_t ip_header_length:4,ip_version:4;#endif u_int8_t ip_tos; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address;};struct icmp_header{ u_int8_t icmp_type; u_int8_t icmp_code; u_int16_t icmp_checksum; u_int16_t icmp_id; u_int16_t icmp_sequence;};void icmp_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content){ struct icmp_header *icmp_protocol; icmp_protocol = (struct icmp_header*)(packet_content+14+20); printf("---------------- ICMP Protocol (Transport Layer) ------------------\n"); printf("ICMP Type:%d\n",icmp_protocol->icmp_type); switch(icmp_protocol->icmp_type) { case 8: printf("ICMP Echo Request Protocol \n"); printf("ICMP Code:%d\n",icmp_protocol->icmp_code); printf("Identifier:%d\n",icmp_protocol->icmp_id); printf("Sequence Number:%d\n",icmp_protocol->icmp_sequence); break; case 0: printf("ICMP Echo Reply Protocol\n"); printf("ICMP Code:%d\n",icmp_protocol->icmp_code); printf("Identifier:%d\n",icmp_protocol->icmp_id); printf("Sequence Number:%d\n",icmp_protocol->icmp_sequence); break; default: break; } printf("ICMP Checksum:%d\n",ntohs(icmp_protocol->icmp_checksum));}void ip_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content){ struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; printf("---------------------- IP Protocol (Network Layer) ---------------------\n"); ip_protocol = (struct ip_header*)(packet_content+14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length*4; tos = ip_protocol->ip_tos; offset = ntohs(ip_protocol->ip_off); printf("IP Version:%d\n",ip_protocol->ip_version); printf("Header length:%d\n",header_length); printf("TOS:%d\n",tos); printf("Total length:%d\n",ntohs(ip_protocol->ip_length)); printf("Identification:%d\n",ntohs(ip_protocol->ip_id)); printf("Offset:%d\n",(offset & 0x1fff) * 8); printf("TTL:%d\n",ip_protocol->ip_ttl); printf("Protocol:%d\n",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP\n"); break; case 17: printf("The Transport Layer Protocol is UDP\n"); break; case 1: printf("The Transport Layer Protocol is ICMP\n"); break; default: break; } printf("Header checksum:%d\n",checksum); printf("Source address:%s\n",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address:%s\n",inet_ntoa(ip_protocol->ip_destination_address)); switch(ip_protocol->ip_protocol) { case 1: icmp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; }}void ethernet_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content){ u_short ethernet_type; struct ether_header *ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf("******************************************************************************\n"); printf("The %d ICMP packet is captured.\n",packet_number); printf("------------------- Ethernet Protocol (Link Layer) -----------------------\n"); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is:\n"); ethernet_type = ntohs(ethernet_protocol->ether_type); printf("%04x\n",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol\n"); break; case 0x0806: printf("The network layer is ARP protocol\n"); break; case 0x8035: printf("The network layer is RARP protocol\n"); break; default: break; } printf("Mac Source Address is:\n"); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is: \n"); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("******************************************************************************\n"); packet_number ++;}int main(){ pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "icmp"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0;}
udp数据包捕获:
#include#include struct ether_header{ u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type;};struct ip_header{#if defined(WORDS_BIGENDIAN) u_int8_t ip_version:4,ip_header_length:4;#else u_int8_t ip_header_length:4,ip_version:4;#endif u_int8_t ip_tos; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address;};struct udp_header{ u_int16_t udp_source_port; u_int16_t udp_destination_port; u_int16_t udp_length; u_int16_t udp_checksum;};void udp_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content){ struct udp_header * udp_protocol; u_short source_port; u_short destination_port; u_short length; udp_protocol = (struct udp_header*)(packet_content+14+20); source_port = ntohs(udp_protocol->udp_source_port); destination_port = ntohs(udp_protocol->udp_destination_port); length = ntohs(udp_protocol->udp_length); printf("------------------------ UDP Protocol (Transprot Layer) ------------------\n"); printf("Source port:%d\n",source_port); printf("Destination port:%d\n",destination_port); switch(destination_port) { case 138: printf("NETBIOS Datagram Service\n"); break; case 137: printf("NETBIOS Name Service\n"); break; case 139: printf("NETBIOS session service\n"); break; case 53: printf("name-domain service\n"); break; default: break; } printf("Length:%d\n",length); printf("Checksum:%d\n",ntohs(udp_protocol->udp_checksum));}void ip_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content){ struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; printf("---------------------- IP Protocol (Network Layer) ---------------------\n"); ip_protocol = (struct ip_header*)(packet_content+14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length*4; tos = ip_protocol->ip_tos; offset = ntohs(ip_protocol->ip_off); printf("IP Version:%d\n",ip_protocol->ip_version); printf("Header length:%d\n",header_length); printf("TOS:%d\n",tos); printf("Total length:%d\n",ntohs(ip_protocol->ip_length)); printf("Identification:%d\n",ntohs(ip_protocol->ip_id)); printf("Offset:%d\n",(offset & 0x1fff) * 8); printf("TTL:%d\n",ip_protocol->ip_ttl); printf("Protocol:%d\n",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP\n"); break; case 17: printf("The Transport Layer Protocol is UDP\n"); break; case 1: printf("The Transport Layer Protocol is ICMP\n"); break; default: break; } printf("Header checksum:%d\n",checksum); printf("Source address:%s\n",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address:%s\n",inet_ntoa(ip_protocol->ip_destination_address)); switch(ip_protocol->ip_protocol) { case 17: udp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; }}void ethernet_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content){ u_short ethernet_type; struct ether_header *ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf("******************************************************************************\n"); printf("The %d UDP packet is captured.\n",packet_number); printf("------------------- Ethernet Protocol (Link Layer) -----------------------\n"); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is:\n"); ethernet_type = ntohs(ethernet_protocol->ether_type); printf("%04x\n",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol\n"); break; case 0x0806: printf("The network layer is ARP protocol\n"); break; case 0x8035: printf("The network layer is RARP protocol\n"); break; default: break; } printf("Mac Source Address is:\n"); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is: \n"); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("******************************************************************************\n"); packet_number ++;}int main(){ pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "udp"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0;}
tcp数据包捕获:
#include#include struct ether_header{ u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type;};struct ip_header{#ifdef WORDS_BIGENDIAN u_int8_t ip_version:4,ip_header_length:4;#else u_int8_t ip_header_length:4,ip_version:4;#endif u_int8_t ip_tos_shuaifaliu; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address;};struct tcp_header{ u_int16_t tcp_source_port; u_int16_t tcp_destination_port; u_int32_t tcp_acknowledgement; u_int32_t tcp_ack;#ifdef WORDS_BIGENDIAN u_int8_t tcp_offset:4,tcp_reserved:4;#else u_int8_t tcp_reserved:4,tcp_offset:4;#endif u_int8_t tcp_flags; u_int16_t tcp_windows; u_int16_t tcp_checksum; u_int16_t tcp_urgent_pointer;};void tcp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content){ struct tcp_header *tcp_protocol; u_char flags; int header_length; u_short source_port; u_short destination_port; u_short windows; u_short urgent_pointer; u_int sequence; u_int acknowledgement; u_int16_t checksum; tcp_protocol = (struct tcp_header*)(packet_content+14+20); source_port = ntohs(tcp_protocol->tcp_source_port); destination_port = ntohs(tcp_protocol->tcp_destination_port); header_length = tcp_protocol->tcp_offset * 4; sequence = ntohl(tcp_protocol->tcp_acknowledgement); acknowledgement = ntohl(tcp_protocol->tcp_ack); windows = ntohl(tcp_protocol->tcp_windows); urgent_pointer = ntohs(tcp_protocol->tcp_urgent_pointer); flags = tcp_protocol->tcp_flags; checksum = ntohs(tcp_protocol->tcp_checksum); printf("---------------------- TCP Protocol (Transport Layer) ------------------\n"); printf("Source Port:%d\n",source_port); printf("Destination Port:%d\n",destination_port); switch(destination_port) { case 80: printf("HTTP protocol\n"); break; case 21: printf("FTP protocol\n"); break; case 23: printf("TELNET protocol\n"); break; case 25: printf("SMTP protocol\n"); break; case 110: printf("POP3 protocol\n"); break; default: break; } printf("Sequence Number:%u\n",sequence); printf("Acknowledgement Number:%u\n",acknowledgement); printf("Header Length:%d\n",header_length); printf("Reserved:%d\n",tcp_protocol->tcp_reserved); printf("Flags:"); if(flags & 0x08) printf("PSH "); if(flags & 0x10) printf("ACK "); if(flags & 0x02) printf("SYN "); if(flags & 0x20) printf("URG "); if(flags & 0x01) printf("FIN "); if(flags & 0x04) printf("RST "); printf("\n"); printf("Windows Size:%d\n",windows); printf("Checksum:%d\n",checksum); printf("Urgent pointer:%d\n",urgent_pointer);}void ip_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content){ struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; printf("--------------- IP Protocol (Nework Layer) ----------------\n"); ip_protocol = (struct ip_header*)(packet_content +14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length*4; tos = ip_protocol->ip_tos_shuaifaliu; offset = ntohs(ip_protocol->ip_off); printf("IP Version: %d\n",ip_protocol->ip_version); printf("Header length:%d\n",header_length); printf("TOS:%d\n",tos); printf("Total length:%d\n",ntohs(ip_protocol->ip_length)); printf("Identification:%d\n",ntohs(ip_protocol->ip_id)); printf("Offset:%d\n",(offset & 0x1fff) * 8); printf("TTL:%d\n",ip_protocol->ip_ttl); printf("Protocol: %d\n",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP\n"); break; case 17: printf("The Transport Layer Protocol is UDP\n"); break; case 1: printf("The Transport Layer Protocol is ICMP\n"); break; default: break; } printf("Header checksum:%d\n",checksum); printf("Source address:%s\n",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address:%s\n",inet_ntoa(ip_protocol->ip_destination_address)); switch(ip_protocol->ip_protocol) { case 6: tcp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; }}void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content){ u_short ethernet_type; struct ether_header *ethernet_protocol; u_char * mac_string; static int packet_number = 1; printf("***************************************************************\n"); printf("The %d TCP packet is captured.\n",packet_number); printf("----------- Ethernet Protocol (Link Layer) ------------------\n"); ethernet_protocol = (struct ether_header*)packet_content; printf("Ethernet type is:\n"); ethernet_type = ntohs(ethernet_protocol->ether_type); printf("%04x\n",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol\n"); break; case 0x0806: printf("The newwork layer is ARP protocol\n"); break; case 0x8035: printf("The network layer is RARP protocol\n"); break; default: break; } printf("Mac Source Address is:\n"); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is:\n"); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("***********************************************************************************\n"); packet_number ++;}int main(){ pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "tcp"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0;}
一个简单的捕获程序:(icmp,tcp,udp,ip,arp)
#include#include #include struct ether_header{ u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type;};struct arp_header{ u_int16_t arp_hardware_type; u_int16_t arp_protocol_type; u_int8_t arp_hardware_length; u_int8_t arp_protocol_length; u_int16_t arp_operation_code; u_int8_t arp_source_ethernet_address[6]; u_int8_t arp_source_ip_address[4]; u_int8_t arp_destination_ethernet_address[6]; u_int8_t arp_destination_ip_address[4];};struct ip_header{#if defined(WORDS_BIGENDIAN) u_int8_t ip_version:4,ip_header_length:4;#else u_int8_t ip_header_length:4,ip_version:4;#endif u_int8_t ip_tos; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address;};struct udp_header{ u_int16_t udp_source_port; u_int16_t udp_destination_port; u_int16_t udp_length; u_int16_t udp_checksum;};struct tcp_header{ u_int16_t tcp_source_port; u_int16_t tcp_destination_port; u_int32_t tcp_acknowledgement; u_int32_t tcp_ack; #ifdef WORDS_BIGENDIAN u_int8_t tcp_offset:4,tcp_reserved:4;#else u_int8_t tcp_reserved:4,tcp_offset:4;#endif u_int8_t tcp_flags; u_int16_t tcp_windows; u_int16_t tcp_checksum; u_int16_t tcp_urgent_pointer;};struct icmp_header{ u_int8_t icmp_type; u_int8_t icmp_code; u_int16_t icmp_checksum; u_int16_t icmp_id; u_int16_t icmp_sequence;};void tcp_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content){ struct tcp_header *tcp_protocol; u_char flags; int header_length; u_short source_port; u_short destination_port; u_short windows; u_short urgent_pointer; u_int sequence; u_int acknowledgement; u_int16_t checksum; tcp_protocol = (struct tcp_header*)(packet_content+14+20); source_port = ntohs(tcp_protocol->tcp_source_port); destination_port = ntohs(tcp_protocol->tcp_destination_port); header_length = tcp_protocol->tcp_offset*4; sequence = ntohl(tcp_protocol->tcp_acknowledgement); acknowledgement = ntohl(tcp_protocol->tcp_ack); windows = ntohs(tcp_protocol->tcp_windows); urgent_pointer = ntohs(tcp_protocol->tcp_urgent_pointer); flags = tcp_protocol->tcp_flags; checksum = ntohs(tcp_protocol->tcp_checksum); printf("---------------- TCP Protocol (Transport Layer) ------------------\n"); printf("Source Port: %d\n",source_port); printf("Destination Port: %d\n",destination_port); switch(destination_port) { case 80: printf("HTTP protocol\n"); break; case 21: printf("FTP protocol\n"); break; case 23: printf("TELNET protocol\n"); break; case 25: printf("SMTP protocol\n"); break; case 110: printf("POP3 protocol\n"); break; default: break; } printf("Sequence Number:%u\n",sequence); printf("Acknowledgement Number:%u\n",acknowledgement); printf("Header Length:%d\n",header_length); printf("Reserved: %d\n",tcp_protocol->tcp_reserved); printf("Flags: "); if(flags & 0x08) printf("PSH "); if(flags & 0x10) printf("ACK "); if(flags & 0x02) printf("SYN "); if(flags & 0x20) printf("URG "); if(flags & 0x01) printf("FIN "); if(flags & 0x04) printf("RST "); printf("\n"); printf("Windows Size: %d\n",windows); printf("Checksum: %d\n",checksum); printf("Urgent pointer: %d\n",urgent_pointer);}void udp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content){ struct udp_header *udp_protocol; u_short source_port; u_short destination_port; u_short length; udp_protocol = (struct udp_header *)(packet_content+14+20); source_port = ntohs(udp_protocol->udp_source_port); destination_port = ntohs(udp_protocol->udp_destination_port); length = ntohs(udp_protocol -> udp_length); printf("------------------- UDP Protocol (Transport Layer) ----------------------\n"); printf("Source port: %d\n",source_port); printf("Destination port: %d\n",destination_port); switch(destination_port) { case 138: printf("NETBIOS Datagram Service\n"); break; case 137: printf("NETBIOS Name Service\n"); break; case 139: printf("NETBIOS session service\n"); break; case 53: printf("name-domain service \n"); break; default: break; } printf("Length: %d\n",length); printf("Checksum: %d\n",ntohs(udp_protocol->udp_checksum));}void icmp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content){ struct icmp_header *icmp_protocol; icmp_protocol = (struct icmp_header *)(packet_content + 14 + 20); printf("------------------- ICMP Protocol (Transport Layer) ---------------------\n"); printf("ICMP Type: %d\n",icmp_protocol->icmp_type); switch(icmp_protocol->icmp_type) { case 8: printf("ICMP Echo Request Protocol \n"); printf("ICMP Code: %d\n",icmp_protocol->icmp_code); printf("Identifier: %d\n",icmp_protocol->icmp_id); printf("Sequence Number: %d\n",icmp_protocol->icmp_sequence); break; case 0: printf("ICMP Echo Reply Protocol \n"); printf("ICMP Code: %d\n",icmp_protocol->icmp_code); printf("Identifier: %d\n",icmp_protocol->icmp_id); printf("Sequence Number: %d\n",icmp_protocol->icmp_sequence); break; default: break; } printf("ICMP Checksum: %d\n",ntohs(icmp_protocol->icmp_checksum));}void arp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content){ struct arp_header *arp_protocol; u_short protocol_type; u_short hardware_type; u_short operation_code; u_char *mac_string; struct in_addr source_ip_address; struct in_addr destination_ip_address; u_char hardware_length; u_char protocol_length; printf("-------------------- ARP Protocol (Network Layer) --------------------\n"); arp_protocol = (struct arp_header *)(packet_content+14); hardware_type = ntohs(arp_protocol->arp_hardware_type); protocol_type = ntohs(arp_protocol->arp_protocol_type); operation_code = ntohs(arp_protocol->arp_operation_code); hardware_length = arp_protocol->arp_hardware_length; protocol_length = arp_protocol->arp_protocol_length; printf("ARP Hardware Type: %d\n",hardware_type); printf("ARP Protocol Type: %d\n",protocol_type); printf("ARP Hardware Length: %d\n",hardware_length); printf("ARP Protocol Length: %d\n",protocol_length); printf("ARP Operation: %d\n",operation_code); switch(operation_code) { case 1: printf("ARP Request Protocol\n"); break; case 2: printf("ARP Reply Protocol\n"); break; case 3: printf("RARP Request Protocol\n"); break; case 4: printf("RARP Reply Protocol\n"); break; default: break; } printf("Ethernet Source Address is :\n"); mac_string = arp_protocol->arp_source_ethernet_address; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); memcpy((void*)&source_ip_address,(void*)&arp_protocol->arp_source_ip_address,sizeof(struct in_addr)); printf("Source IP Address: %s\n",inet_ntoa(source_ip_address)); printf("Ethernet Destination Address is: \n"); mac_string = arp_protocol->arp_destination_ethernet_address; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); memcpy((void *)&destination_ip_address,(void*)&arp_protocol->arp_destination_ip_address,sizeof(struct in_addr)); printf("Destination IP Address: %s\n",inet_ntoa(destination_ip_address));}void ip_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content){ struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; ip_protocol = (struct ip_header*)(packet_content+14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length*4; tos = ip_protocol->ip_tos; offset = ntohs(ip_protocol->ip_off); printf("----------------- IP Protocol (Network Layer) ------------------\n"); printf("IP Version: %d\n",ip_protocol->ip_version); printf("Header length: %d\n",header_length); printf("TOS: %d\n",tos); printf("Total length: %d\n",ntohs(ip_protocol->ip_length)); printf("Identification: %d\n",ntohs(ip_protocol->ip_id)); printf("Offset: %d\n",(offset & 0x1fff) * 8); printf("TTL: %d\n",ip_protocol->ip_ttl); printf("Protocol: %d\n",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP\n"); break; case 17: printf("The Transport Layer Protocol is UDP\n"); break; case 1: printf("The Transport Layer Protocol is ICMP\n"); break; default: break; } printf("Header checksum: %d\n",checksum); printf("Source address: %s\n",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address: %s\n",inet_ntoa(ip_protocol->ip_destination_address)); switch(ip_protocol->ip_protocol) { case 6: tcp_protocol_packet_callback(argument,packet_header,packet_content); break; case 17: udp_protocol_packet_callback(argument,packet_header,packet_content); break; case 1: icmp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; }}void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char* packet_content){ u_short ethernet_type; struct ether_header * ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf("\n\n\n\n****************************************************************************************\n"); printf("The %d packet is captured.\n",packet_number); printf("------------------------- Ethernet Protocol (Link Layer) ----------------------------\n"); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is: \n"); ethernet_type = ntohs(ethernet_protocol -> ether_type); printf("%04x\n",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol\n"); break; case 0x0806: printf("The network layer is ARP protocol\n"); break; case 0x8035: printf("The network layer is RARP protocol\n"); break; default: break; } printf("Mac Source Address is : \n"); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is: \n"); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0806: arp_protocol_packet_callback(argument,packet_header,packet_content); break; case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("****************************************************************************************\n\n\n\n"); packet_number ++;}int main(){ pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = ""; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0;}
常用函数就那几个,过程基本上一样,原理差不多