- 论坛徽章:
- 1
|
我在 NF_ARP_FORWARD点上注册hook函数抓arp的数据包打印出来,结果打印出来的数据不对。
请看arp结构体在内核中的定义:
struct arphdr
{
__be16 ar_hrd; /* format of hardware address */
__be16 ar_pro; /* format of protocol address */
unsigned char ar_hln; /* length of hardware address */
unsigned char ar_pln; /* length of protocol address */
__be16 ar_op; /* ARP opcode (command) */
#if 0
unsigned char ar_sha[ETH_ALEN]; /* sender hardware address */
unsigned char ar_sip[4]; /* sender IP address */
unsigned char ar_tha[ETH_ALEN]; /* target hardware address */
unsigned char ar_tip[4]; /* target IP address */
#endif
};
在我注册的hook函数中,arp结构体中的ar_hrd,ar_pro,ar_hln,ar_pln,ar_op这几个成员的值能正确打印出来,但是源ip mac打印出来就不对了。
我不太清楚为什么内核里面arphdr结构体定义中把源/目的ip和mac的成员给注释掉了。
那注释掉了的话怎么来获取ip和mac的值啊。
下面是我hook函数的代码。里面使用的arp结构体是按照内核中定义的结构体自己定义的和内核中的arphdr的区别就是我自己定义的myarphdr把内核中注释掉的源目的ip mac放开了。
int arp_init()
{
arp_ops.hook = arphook_detect;
arp_ops.pf = NFPROTO_ARP;
arp_ops.hooknum = NF_ARP_FORWARD;
arp_ops.priority = NF_IP_PRI_FIRST;
ret = nf_register_hook(&arp_ops);
}
unsigned int arphook_detect(unsigned int hooknum,
struct sk_buff *__skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct ethhdr *ethhdr;
struct myarphdr *arphdr;
unsigned char *arpdat;
arpdat = (unsigned char *)__skb->data;
ethhdr = eth_hdr(__skb);
arphdr = (struct myarphdr *) arpdat;
printk("src ip is 0x%x,src mac is 0x%x,hd type=0x%x,proto type = 0x%x,hd size = 0x%x,proto size =0x%x,arp_op = 0x%x\n",
ntohl(arphdr->ar_sha),ntohl(arphdr->ar_sip),ntohs(arphdr->ar_hrd), ntohs(arphdr->ar_pro),
arphdr->ar_hln,arphdr->ar_pln,ntohs(arphdr->ar_op));
}
哪位大神能给解释一下吗? |
|
免费注册
发表于 2015-02-10 10:49