参照man packet写的程序抓包错误

LaoLiulaoliu

我看到了两篇文章：
http://blog.chinaunix.net/space. ... =blog&id=142804
http://blog.chinaunix.net/space. ... og&cuid=1895542
这个链接里面都有。
这个程序抓包打印后的结果是错误的，可是我不知道错在哪里了。
程序清单：

1. /*
   
2. *  Low level network programming in Linux using PF_PACKET
   
3. *  Need root privileges
   
4. */
   
5. 
   
6. #include <stdio.h>
   
7. #include <string.h>
   
8. #include <stdlib.h>
   
9. #include <sys/errno.h>
   
10. #include <sys/socket.h>
    
11. #include <sys/ioctl.h>
    
12. #include <netinet/ip.h>
    
13. #include <arpa/inet.h>
    
14. #include <linux/if_arp.h> //#include <linux/if_ether.h> //#include <linux/if_packet.h>
    
15. #include <unistd.h>
    
16. 
    
17. #define RED "\e[31m\e[1m"
    
18. #define GREEN "\E[32m\E[1m"
    
19. #define YELLOW "\E[33m\E[1m"
    
20. #define BLUE "\E[34m\E[1m"  
    
21. #define NORMAL "\e[m"
    
22. 
    
23. int get_nic_index(int fd, const char* nic_name)
    
24. {
    
25.         struct ifreq ifr;
    
26.         if (nic_name == NULL)
    
27.                    return -1;
    
28.         memset(&ifr, 0, sizeof(ifr));
    
29.         strncpy(ifr.ifr_name, nic_name, IFNAMSIZ);
    
30.         if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
    
31.                 perror(GREEN"SIOCGIFINDEX ioctl error"NORMAL);
    
32.                 return -1;
    
33.         }
    
34.         return ifr.ifr_ifindex;
    
35. }
    
36. 
    
37. int set_Iface_promisc(int fd, int dev_id)
    
38. {
    
39.         struct packet_mreq mr;
    
40.         memset(&mr, 0, sizeof(mr));
    
41.         mr.mr_ifindex = dev_id;
    
42.         mr.mr_type = PACKET_MR_PROMISC;
    
43.         if (setsockopt(fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP,&mr,sizeof(mr))==-1) {
    
44.                 return -1;
    
45.         }
    
46.         return 0;
    
47. }
    
48. 
    
49. int set_nic_promisc(int sockfd, const char *nic_name)
    
50. {
    
51.         struct ifreq ethreq;
    
52.         strncpy(ethreq.ifr_name, nic_name, IFNAMSIZ);
    
53.         ioctl(sockfd, SIOCGIFFLAGS, &ethreq);
    
54.         ethreq.ifr_flags |= IFF_PROMISC;
    
55.         ioctl(sockfd, SIOCSIFFLAGS, &ethreq);
    
56.         return 0;
    
57. }
    
58. 
    
59. int main(int argc, char **argv)
    
60. {
    
61.         if (argc != 3) {
    
62.                 printf("usage: ./a.out <nic_name> <packets num to be capture>\n");
    
63.                 exit(1);
    
64.         }
    
65. 
    
66.         int pktfd;
    
67.         int maxpak = 0, ipak = 0;
    
68.         int fromlen;
    
69.         char buffer[BUFSIZ];
    
70.         struct iphdr *iph;
    
71.         struct sockaddr_ll sll;
    
72. 
    
73.         /* Low level socket */
    
74.         pktfd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
    
75.         if (pktfd == -1) {
    
76.                 perror(RED"Unable to create low level socket"NORMAL);
    
77.                 return -1;
    
78.         }
    
79. 
    
80.         memset(&sll, 0, sizeof(sll));
    
81.         sll.sll_family = AF_PACKET;
    
82.         sll.sll_protocol = htons(ETH_P_ALL);
    
83.         sll.sll_ifindex = get_nic_index(pktfd, argv[1]);
    
84. 
    
85. 
    
86.         if (bind(pktfd, (struct sockaddr *) &sll, sizeof(sll)) != 0) {
    
87.                 perror(YELLOW"bind error"NORMAL);
    
88.                 goto FAIL;
    
89.         }
    
90.         set_nic_promisc(pktfd, argv[1]);
    
91. 
    
92.         //if (set_Iface_promisc(pktfd, sll.sll_ifindex) == -1) {
    
93.         //        fprintf(stderr, BLUE"set promisc failed! \n"NORMAL);
    
94.         //        goto FAIL;
    
95.         //}
    
96. 
    
97.         maxpak = atoi(argv[2]);
    
98.         while (!maxpak || ipak < maxpak) {
    
99.                 fromlen = recv(pktfd, buffer, BUFSIZ, MSG_TRUNC);
    
100.                 printf("Buffer Length: %d bytes\n", fromlen);
     
101.                 iph = (struct iphdr *) (buffer + sizeof(struct ethhdr));
     
102.                 printf("IP Packet from: %s\n", inet_ntoa(*(struct in_addr*)&iph->saddr));
     
103.                 printf("IP Packet To: %s\n", inet_ntoa(*(struct in_addr*)&iph->daddr));
     
104.                 printf("IP Protocol: %#x\n", iph->protocol);
     
105.                 printf("Buffer Content: %s\n\n", buffer);
     
106.                 ipak++;
     
107.         }
     
108. 
     
109.         return 0;
     
110. 
     
111. FAIL:
     
112.         close(pktfd);
     
113.         return -1;
     
114. }

复制代码

执行：
./a.out ppp0 20
然后我在浏览器里面刷新了bbs.chinaunix.net，得到的结果

1. Buffer Length: 63 bytes
   
2. IP Packet from: 224.19.190.172
   
3. IP Packet To: 1.0.0.1
   
4. IP Protocol: 0x35
   
5. Buffer Content: E
   
6. 
   
7. Buffer Length: 60 bytes
   
8. IP Packet from: 217.211.0.0
   
9. IP Packet To: 0.0.160.2
   
10. IP Protocol: 0x50
    
11. Buffer Content: E
    
12. 
    
13. Buffer Length: 60 bytes
    
14. IP Packet from: 39.63.0.0
    
15. IP Packet To: 0.0.160.2
    
16. IP Protocol: 0x50
    
17. Buffer Content: E
    
18. 
    
19. Buffer Length: 60 bytes
    
20. IP Packet from: 160.179.0.0
    
21. IP Packet To: 0.0.160.2
    
22. IP Protocol: 0x50
    
23. Buffer Content: E
    
24. 
    
25. Buffer Length: 60 bytes
    
26. IP Packet from: 191.177.0.0
    
27. IP Packet To: 0.0.160.2
    
28. IP Protocol: 0x50
    
29. Buffer Content: E
    
30. 
    
31. Buffer Length: 60 bytes
    
32. IP Packet from: 147.66.0.0
    
33. IP Packet To: 0.0.160.2
    
34. IP Protocol: 0x50
    
35. Buffer Content: E
    
36. 
    
37. Buffer Length: 60 bytes
    
38. IP Packet from: 244.107.0.0
    
39. IP Packet To: 0.0.160.2
    
40. IP Protocol: 0x50
    
41. Buffer Content: E
    
42. 
    
43. Buffer Length: 60 bytes
    
44. IP Packet from: 253.128.163.180
    
45. IP Packet To: 1.0.0.1
    
46. IP Protocol: 0x35
    
47. Buffer Content: E
    
48. 
    
49. Buffer Length: 59 bytes
    
50. IP Packet from: 124.104.1.74
    
51. IP Packet To: 1.0.0.1
    
52. IP Protocol: 0x35
    
53. Buffer Content: E
    
54. 
    
55. Buffer Length: 60 bytes
    
56. IP Packet from: 32.199.73.255
    
57. IP Packet To: 1.0.0.1
    
58. IP Protocol: 0x35
    
59. Buffer Content: E
    
60. 
    
61. Buffer Length: 58 bytes
    
62. IP Packet from: 156.212.67.134
    
63. IP Packet To: 1.0.0.1
    
64. IP Protocol: 0x35
    
65. Buffer Content: E
    
66. 
    
67. Buffer Length: 64 bytes
    
68. IP Packet from: 239.186.96.69
    
69. IP Packet To: 1.0.0.1
    
70. IP Protocol: 0x35
    
71. Buffer Content: E
    
72. 
    
73. Buffer Length: 60 bytes
    
74. IP Packet from: 211.222.99.206
    
75. IP Packet To: 1.0.0.1
    
76. IP Protocol: 0x35
    
77. Buffer Content: E
    
78. 
    
79. Buffer Length: 70 bytes
    
80. IP Packet from: 110.242.12.194
    
81. IP Packet To: 1.0.0.1
    
82. IP Protocol: 0x35
    
83. Buffer Content: E
    
84. 
    
85. Buffer Length: 140 bytes
    
86. IP Packet from: 35.7.190.172
    
87. IP Packet To: 129.128.0.1
    
88. IP Protocol: 0x68
    
89. Buffer Content: E
    
90. 
    
91. Buffer Length: 60 bytes
    
92. IP Packet from: 171.44.0.0
    
93. IP Packet To: 0.0.160.2
    
94. IP Protocol: 0x50
    
95. Buffer Content: E
    
96. 
    
97. Buffer Length: 240 bytes
    
98. IP Packet from: 208.24.1.74
    
99. IP Packet To: 129.128.0.1
    
100. IP Protocol: 0x5e
     
101. Buffer Content: E
     
102. 
     
103. Buffer Length: 58 bytes
     
104. IP Packet from: 56.247.84.130
     
105. IP Packet To: 1.0.0.1
     
106. IP Protocol: 0x35
     
107. Buffer Content: E
     
108. 
     
109. Buffer Length: 145 bytes
     
110. IP Packet from: 174.157.73.255
     
111. IP Packet To: 129.128.0.1
     
112. IP Protocol: 0x49
     
113. Buffer Content: E
     
114. 
     
115. Buffer Length: 506 bytes
     
116. IP Packet from: 16.68.67.134
     
117. IP Packet To: 129.128.0.1
     
118. IP Protocol: 0x7b
     
119. Buffer Content: E

复制代码

这个无论从IP地址还是Protocol（6, 17）看来都是明显错误的。希望有牛人可以帮忙看看，因为我读手册（man packet）发现好像貌似没有什么问题。
谢谢了。

csern

抓到非ip包时当做ip包解析了。

如果只想抓IP包的话，创建socket时使用htons(ETH_P_IP)，或者先解析ethhdr的h_proto，为ETH_P_IP时再做进一步解析。

LaoLiulaoliu

回复 2# csern


    我用wireshark听过了相同的过程，就是能多出来几个DNS的报文，其他的都是和chinaunix的通信，所以才断定这个是错误的。
    我家是拨号上网pppoe

LaoLiulaoliu

我又在虚拟机里面测试了一下，居然是正确的，见鬼，谢谢2楼的热情回复，让我又多懂了一点点

LaoLiulaoliu

我怀疑是ppp0和一般的网络接口（如：eth0）的格式不同。但是不知道wireshark是怎么弄的，晚上回家改成ETH_P_IP 试试

LaoLiulaoliu

找到问题了，pppoe拨号的报文在网络层和IP层之间有
PPP-over-Ethernet Session (6 bytes)
Point-to-Point Protocol (2 bytes) Protocol: IP (0x0021)

网络层的Type: PPPoE Session (0x8864)