
平台论坛博客文库

› 论坛 › 程序设计 › C/C++ › 关于用libpcap库取得数据包并进行分类还存在的问题

关于用libpcap库取得数据包并进行分类还存在的问题 [复制链接]

shujunz

白手起家

论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2010-10-28 09:42 |只看该作者 |倒序浏览

本帖最后由 shujunz 于 2010-10-28 09:45 编辑

无聊时写了一个抓包的软件，但是在获取源ip地址和目标ip地址的时候总是显示不出来，大家看看是哪里出了问题：

/*we must run this program in root*/
/*存在的问题:不能读取到ip地址*/
#include<pcap.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
char errbuf[PCAP_ERRBUF_SIZE];
struct ether_header{//Ethernet
u_int8_t ether_dhost[6];
u_int8_t ether_shost[6];
u_int16_t ether_type;
};
typedef u_int32_t in_addr_t;
struct in_addr{
in_addr_t s_addr;
};
/*
-------------------------------------------
A R P
-------------------------------------------
*/
struct arp_header{//Arp
u_int16_t arp_hardware_type;
u_int16_t arp_protocol_type;
u_int8_t arp_hardware_length;
u_int8_t arp_protocol_length;
u_int16_t arp_operation_code;//arp Opcode!
u_int8_t arp_source_ethernet_address[6];
u_int8_t arp_destination_ethernet_address[6];
//u_int16_t arp_source_ip_address[4];
u_int8_t arp_source_ip_address[4];
u_int8_t arp_destination_ip_address[4];
};
void ip_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr *packet_header,const u_char *packet_content);
void arp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr *packet_header,const u_char *packet_content);
void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr *packet_header,const u_char *packet_content);
pcap_t * init_pcap();
void get_packet(pcap_t *pcap_handle);
void close_pcap(pcap_t *pcap_handle);
void ip_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr *packet_header,const u_char *packet_content)
{//IP call_back function
}
void arp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr *packet_header,const u_char *packet_content)
{//ARP call_back function
struct arp_header *arp_protocol;
u_short protocol_type;
u_short hardware_type;
u_short operation_code;
u_char *mac_string;
struct in_addr source_ip_address;
struct in_addr destination_ip_address;
u_char hardware_length;
u_char protocol_length;
printf("---------ARP Protocol(Network Layer)----------\n");
arp_protocol=(struct arp_header *)(packet_content+14);
/*
* 获得ARP协议数据。注意在这里要跳过以太网数据部分，它的长度刚好是14，所以在这里加上14，是指针跳过14个字节
*/
hardware_type=ntohs(arp_protocol->arp_hardware_type);
operation_code=ntohs(arp_protocol->arp_operation_code);
protocol_type=ntohs(arp_protocol->arp_protocol_type);
hardware_length=arp_protocol->arp_hardware_length;
protocol_length=arp_protocol->arp_protocol_length;
printf("ARP Hardware Type:%d\n",hardware_type);
printf("ARP Protocol Type:%d\n",protocol_type);
printf("ARP Hardware Length:%d\n",hardware_length);
printf("ARP Protocol Length:%d\n",protocol_length);
printf("ARP Operation Code:%d\n",operation_code);
//------------------------------------------------
//Judge up layer
switch(operation_code)
{
case 1:
printf("ARP request protocol\n");
break;
case 2:
printf("ARP reply protocol\n");
break;
case 3:
printf("RARP request protocol\n");
break;
case 4:
printf("RARP reply protocol\n");
break;
default :
break;
}
//--------------------------------------
printf("Ethernet source address is:\n");
mac_string=arp_protocol->arp_source_ethernet_address;
printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1),*(mac_string+2),*(mac_string+3),*(mac_string+4),*(mac_string+5));
memcpy((void*)&source_ip_address,(void *)arp_protocol->arp_source_ip_address,sizeof(struct in_addr));
printf("Source Ip address is :\n",inet_ntoa(source_ip_address));
printf("Ethernet destination address is:\n");
mac_string=arp_protocol->arp_destination_ethernet_address;
printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1),*(mac_string+2),*(mac_string+3),*(mac_string+4),*(mac_string+5));
memcpy((void*)&destination_ip_address,(void *)arp_protocol->arp_destination_ip_address,sizeof(struct in_addr));
printf("Destination Ip address is :\n",inet_ntoa(source_ip_address));
}
void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr *packet_header,const u_char *packet_content)//Ethernet call_back function
{
u_short ethernet_type;//Ethernet type
struct ether_header *ethernet_protocol;//Ethernet protocol variables
u_char *mac_string;//Ethernet address---MAC address
static int packet_num=1;//default packet number!
printf("***********************************************\n");
printf("The %d packet is captured..\n",packet_num);
printf("--------Ethernet protocol (Link Layer)--------\n");
ethernet_protocol=(struct ether_header *)packet_content;
printf("Ethernet type is:");
ethernet_type=ntohs(ethernet_protocol->ether_type);
printf("%04x\n",ethernet_type);
//Judge the up_layer protocol
//coding....
switch(ethernet_type)
{
case 0x0800:
printf("The network layer is IP protocol\n");
ip_protocol_packet_callback(argument,packet_header,packet_content);
break;
case 0x0806:
printf("The network layer is ARP protocol\n");
arp_protocol_packet_callback(argument,packet_header,packet_content);
break;
case 0x08035:
printf("The network layer is RARP protocol\n");
break;
default :
break;
}
printf("Mac Source Address is:\n");
mac_string=ethernet_protocol->ether_shost;
printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1),*(mac_string+2),*(mac_string+3),*(mac_string+4),*(mac_string+5));
printf("Mac Destination Address is:\n");
mac_string=ethernet_protocol->ether_dhost;
printf("%02x:%02x:%02x:%02x:%02x:%02x\n",*mac_string,*(mac_string+1),*(mac_string+2),*(mac_string+3),*(mac_string+4),*(mac_string+5));
printf("***********************************************\n");
packet_num++;
}
pcap_t * init_pcap()
{
pcap_t *pcap_handle;
char *interface;//
struct bpf_program bpf_filter;
char bpf_filter_string[]="";//设置过滤规则为空,表示捕获所有数据包
// bpf_u_int32 net_mask;
// bpf_u_int32 net_ip;
u_int32_t net_mask;
u_int32_t net_ip;
interface=pcap_lookupdev(errbuf);//get net interface
if(interface==NULL)
{
printf("get net interface error:%s\n",errbuf);
//return 1;
return NULL;
}
if(pcap_lookupnet(interface,&net_ip,&net_mask,errbuf)==-1)//get mask and ip address
{
printf("get mask and ip error:%s\n",errbuf);
// return 2;
return NULL;
}
pcap_handle=pcap_open_live(interface,BUFSIZ,1,0,errbuf);//open the Interface
if(pcap_handle==NULL)
{
printf("open the Inerface:%s\n",pcap_geterr(pcap_handle));
// return 3;
return NULL;
}
if(pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip)==-1)//Compile the filtering rules
{
printf("Compile the filtering rules:%s\n",pcap_geterr(pcap_handle));
// return 4;
return NULL;
}
if(pcap_setfilter(pcap_handle,&bpf_filter)==-1)//set filter rules!
{
printf("set filter rules:%s\n",pcap_geterr(pcap_handle));
// return 5;
return NULL;
}
return pcap_handle;
}
void get_packet(pcap_t *pcap_handle)
{
if(pcap_datalink(pcap_handle)!=DLT_EN10MB)//Judge the packet is not Ethernet packet
{
return;
}
if(pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL)!=0)
{
printf("get packet error:%s\n",pcap_geterr(pcap_handle));
}
}
void close_pcap(pcap_t *pcap_handle)
{
pcap_close(pcap_handle);
}
int main()
{
pcap_t *pcap_handle;
pcap_handle=init_pcap();
if(pcap_handle==NULL)
{
return 1;
}
get_packet(pcap_handle);
close_pcap(pcap_handle);
return 0;
}

复制代码

原来是写到几个c文件中的为了方便我把他们整合到一个文件中了

ip不显示, PCAP, 抓包

文库|博客

shujunz

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2010-10-28 09:50 |只看该作者

这是编译和运行的结果由于抓的包比较多我就选了几个

% gcc get_packet.c -lpcap
% ./a.out
get net interface error:no suitable device found
% sudo ./a.out
The 33 packet is captured..
--------Ethernet protocol (Link Layer)--------
Ethernet type is:0806
The network layer is ARP protocol
---------ARP Protocol(Network Layer)----------
ARP Hardware Type:1
ARP Protocol Type:2048
ARP Hardware Length:6
ARP Protocol Length:4
ARP Operation Code:1
ARP request protocol
Ethernet source address is:
00:1a:4d:96:81:da
Source Ip address is :
Ethernet destination address is:
ac:10:12:4e:00:00
Destination Ip address is :
Mac Source Address is:
00:1a:4d:96:81:da
Mac Destination Address is:
ff:ff:ff:ff:ff:ff
***********************************************
***********************************************
The 34 packet is captured..
--------Ethernet protocol (Link Layer)--------
Ethernet type is:0806
The network layer is ARP protocol
---------ARP Protocol(Network Layer)----------
ARP Hardware Type:1
ARP Protocol Type:2048
ARP Hardware Length:6
ARP Protocol Length:4
ARP Operation Code:1
ARP request protocol
Ethernet source address is:
00:1a:4d:96:81:da
Source Ip address is :
Ethernet destination address is:
ac:10:12:4e:00:00
Destination Ip address is :
Mac Source Address is:
00:1a:4d:96:81:da
Mac Destination Address is:
ff:ff:ff:ff:ff:ff
***********************************************
***********************************************
The 35 packet is captured..
--------Ethernet protocol (Link Layer)--------
Ethernet type is:0800
The network layer is IP protocol
Mac Source Address is:
40:61:86:fe:ff:3f
Mac Destination Address is:
00:19:66:4c:02:08
***********************************************
***********************************************
The 36 packet is captured..
--------Ethernet protocol (Link Layer)--------
Ethernet type is:0800
The network layer is IP protocol
Mac Source Address is:
00:19:66:4c:02:08
Mac Destination Address is:
40:61:86:fe:ff:3f
***********************************************

复制代码

另外代码只写到分析ARP ，IP以及其上层协议的都还没有写，因为发现问题就不得不停下来大家帮忙看看

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

linuxlixk

小富即安

论坛徽章:: 0

3楼 [报告]

发表于 2010-10-28 10:56 |只看该作者

106#       memcpy((void*)&source_ip_address,(void *)arp_protocol->arp_source_ip_address,sizeof(struct in_addr));
   #
   #       ~~printf("Source Ip address is :\n",inet_ntoa(source_ip_address));~~
   #

printf("Source Ip address is :%s\n",inet_ntoa(source_ip_address));

注意inet_ntoa这个函数返回结果存储的位置 .

linuxlixk

小富即安

论坛徽章:: 0

4楼 [报告]

发表于 2010-10-28 10:57 |只看该作者

113# memcpy((void*)&destination_ip_address,(void *)arp_protocol->arp_destination_ip_address,sizeof(struct in_addr));
# ~~printf("Destination Ip address is :\n",inet_ntoa(source_ip_address));~~

自己认真的看