libpcap是开源库,主要完成数据包捕获功能
下面是自己的测试例子:
原理展示测试:
#include <pcap.h> #define BUFSIZE 1024 int main() { char error_content[PCAP_ERRBUF_SIZE]; struct pcap_pkthdr protocol_header; pcap_t *pcap_handle; struct bpf_program bpf_filter; char bpf_filter_string[] = ""; const u_char *packet_content; bpf_u_int32 net_mask; bpf_u_int32 net_ip; char *net_interface; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZE,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); packet_content = pcap_next(pcap_handle,&protocol_header); printf("The capture data is: %s ",packet_content); printf("Capture a packet from : %s ",net_interface); printf("The packet length is : %d ",protocol_header.len); pcap_close(pcap_handle); return 0; }
#include <pcap.h> #include <arpa/inet.h> typedef u_int32_t in_addr_t; /* struct in_addr { in_addr_t s_addr; }; */ int main() { char error_content[PCAP_ERRBUF_SIZE]; struct in_addr net_ip_address; struct in_addr net_mask_address; char *net_interface; char *net_ip_string; char *net_mask_string; u_int32_t net_ip; u_int32_t net_mask; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); printf("Network Interface is:%s ",net_interface); net_ip_address.s_addr = net_ip; net_ip_string = inet_ntoa(net_ip_address); printf("Network IP Address is : %s ",net_ip_string); net_mask_address.s_addr = net_mask; net_mask_string = inet_ntoa(net_mask_address); printf("Network Mask Address is: %s ",net_mask_string); return 0; }
#include "pcap.h" void packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content) { static int packet_number = 1; printf("The %d packet is captured. ",packet_number); printf("%s ",argument); packet_number ++; } int main() { pcap_t * pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "ip"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); pcap_loop(pcap_handle,10,packet_callback,"This is argument!heihei!"); pcap_close(pcap_handle); return 0; }
以太网的捕获:
#include <pcap.h> #include <time.h> struct ether_header { u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type; }; int main() { char error_content[PCAP_ERRBUF_SIZE]; pcap_t *pcap_handle; const u_char *packet_content; u_char *mac_string; u_short ethernet_type; bpf_u_int32 net_mask; bpf_u_int32 net_ip; char *net_interface; struct pcap_pkthdr protocol_header; struct ether_header *ethernet_protocol; struct bpf_program bpf_filter; char bpf_filter_string[] = "ip"; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle, &bpf_filter, bpf_filter_string, 0, net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return ; packet_content = pcap_next(pcap_handle,&protocol_header); printf("--------------------*****------------------ "); printf("Capture a Packet from net_interface: "); printf(">>> %s ",net_interface); printf("Capture Time is: "); // printf(">>> %s ",ctime((const time_t *)&protocol_header.ts.tv_sec)); printf(">>> %s ",ctime((const time_t*)(&protocol_header.ts.tv_sec))); printf("Packet Length is: "); printf(">>> %d ",protocol_header.len); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is : "); ethernet_type = ntohs(ethernet_protocol->ether_type); printf(">>> %04x ",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol "); break; case 0x0806: printf("The network layer is ARP protocol "); break; case 0x8035: printf("The network layer is RARP protocol "); break; default: break; } printf("Mac Source Address is : "); mac_string = ethernet_protocol->ether_shost; printf(">>> %02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3),*(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is : "); mac_string = ethernet_protocol->ether_dhost; printf(">>> %02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3),*(mac_string+4),*(mac_string+5)); printf("------------------------*****-------------------------- "); pcap_close(pcap_handle); return 0; }
#include <pcap.h> #include <time.h> struct ether_header { u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type; }; void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr* packet_header,const u_char *packet_content) { u_short ethernet_type; struct ether_header * ethernet_protocol; u_char *mac_string; char *net_interface = (char *)argument; printf("---------------------*****---------------------- "); printf("Capture a Packet from net_interface: "); printf(">>> %s ",net_interface); printf("Capture Time is: "); printf(">>> %s ",ctime((const time_t*)&packet_header->ts.tv_sec)); printf("Packet length is: "); printf(">>> %d ",packet_header->len); ethernet_protocol = (struct ether_header*)packet_content; printf("Ethernet type is : "); ethernet_type = ntohs(ethernet_protocol->ether_type); printf(">>> %04x ",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol "); break; case 0x0806: printf("The network layer is ARP protocol "); break; case 0x8035: printf("The network layer is RARP protocol "); break; default: break; } printf("Mac Source Address is : "); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is : "); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("---------------------*****---------------------- "); } int main() { char error_content[PCAP_ERRBUF_SIZE]; pcap_t *pcap_handle; const u_char *packet_content; bpf_u_int32 net_mask; bpf_u_int32 net_ip; u_char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "ip"; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,net_interface); pcap_close(pcap_handle); return 0; }
arp数据包捕获:
#include <pcap.h> #include <time.h> #include <string.h> #include <arpa/inet.h> struct ether_header { u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type; }; typedef u_int32_t in_addr_t; /* struct in_addr { in_addr_t s_addr; };*/ struct arp_header { u_int16_t arp_hardware_type; u_int16_t arp_protocol_type; u_int8_t arp_hardware_length; u_int8_t arp_protocol_length; u_int16_t arp_operation_code; u_int8_t arp_source_ethernet_address[6]; u_int8_t arp_source_ip_address[4]; u_int8_t arp_destination_ethernet_address[6]; u_int8_t arp_destination_ip_address[4]; }; void arp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr* packet_header,const u_char *packet_content) { struct arp_header *arp_protocol; u_short protocol_type; u_short hardware_type; u_short operation_code; u_char *mac_string; struct in_addr source_ip_address; struct in_addr destination_ip_address; u_char hardware_length; u_char protocol_length; printf("-------ARP Protocol (Netwrok Layer) ------- "); arp_protocol = (struct arp_header *)(packet_content+14); hardware_type = ntohs(arp_protocol->arp_hardware_type); protocol_type = ntohs(arp_protocol->arp_protocol_type); operation_code = ntohs(arp_protocol->arp_operation_code); hardware_length = arp_protocol->arp_hardware_length; protocol_length = arp_protocol->arp_protocol_length; printf("ARP Hardware Type: %d ",hardware_type); printf("ARP Protocol Type: %d ",protocol_type); printf("ARP Hardware Length:%d ",hardware_length); printf("ARP Protocol Length:%d ",protocol_length); printf("ARP Operation: %d ",operation_code); switch(operation_code) { case 1: printf("ARP Request Protocol "); break; case 2: printf("ARP Reply Protocol "); break; case 3: printf("RARP Request Protocol "); break; case 4: printf("RARP Reply Protocol "); break; default: break; } printf("Ethernet Source Address is : "); mac_string = arp_protocol->arp_source_ethernet_address;; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); memcpy((void*)&source_ip_address,(void*)&arp_protocol->arp_source_ip_address,sizeof(struct in_addr)); printf("Source IP Address:%s ",inet_ntoa(source_ip_address)); printf("Ethernet Destination Address is : "); mac_string = arp_protocol->arp_destination_ethernet_address; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); memcpy((void*)&destination_ip_address,(void *) &arp_protocol->arp_destination_ip_address, sizeof(struct in_addr)); printf("Destination IP Address: %s ", inet_ntoa(destination_ip_address)); } void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content) { u_short ethernet_type; struct ether_header *ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf("************************************************** "); printf("The %d ARP packet is captured. ",packet_number); printf("-------- Ethernet Protocol (Link Layer) -------- "); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is: "); ethernet_type = ntohs(ethernet_protocol -> ether_type); printf("%04x ",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol "); break; case 0x0806: printf("The network layer is ARP protocol "); break; case 0x8035: printf("The network layer is RARP protocol "); break; default: break; } printf("Mac Source Address is : "); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is: "); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0806: arp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("**************************************************** "); packet_number ++; } int main() { pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "arp"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface, &net_ip, &net_mask, error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return ; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0; }
Ip数据包捕获:
#include "pcap.h" #include <arpa/inet.h> struct ether_header { u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type; }; /* typedef u_int32_t in_addr_t; struct in_addr { in_addr_t s_addr; }; */ struct ip_header { #ifdef WORDS_BIGENDIAN u_int8_t ip_version:4,ip_header_length:4; #else u_int8_t ip_header_length:4,ip_version:4; #endif u_int8_t ip_tos; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address; }; void ip_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content) { struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; ip_protocol = (struct ip_header*)(packet_content+14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length * 4; tos = ip_protocol->ip_tos; offset = ntohs(ip_protocol->ip_off); printf("---------------IP Protocol (Network Layer) --------------- "); printf("IP Version:%d ",ip_protocol->ip_version); printf("Header length:%d ",header_length); printf("TOS: %d ",tos); printf("Total length: %d ",ntohs(ip_protocol->ip_length)); printf("Identification:%d ",ntohs(ip_protocol->ip_id)); printf("Offset:%d ",(offset & 0x1fff)*8); printf("TTL:%d ",ip_protocol->ip_ttl); printf("Protocol:%d ",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP "); break; case 17: printf("The Transport Layer Protocol is UDP "); break; case 1: printf("The Transport Layer Protocol is ICMP "); default: break; } printf("Header checksum:%d ",checksum); printf("Source address:%s ",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address:%s ",inet_ntoa(ip_protocol->ip_destination_address)); } void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content) { u_short ethernet_type; struct ether_header *ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf("********************************************************************** "); printf("The %d IP packet is captured. ",packet_number); printf("------------------ Ethernet Protocol (Link Layer) -------------------- "); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is: "); ethernet_type = ntohs(ethernet_protocol->ether_type); printf("%04x ",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol "); break; case 0x0806: printf("The network layer is ARP protocol "); break; case 0x8035: printf("The network layer is RARP protocol "); break; default: break; } printf("Mac Source Address is: "); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is: "); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("************************************************************************* "); packet_number ++; } int main() { pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "ip"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0 ; }
ICMP数据包(ping格式)捕获:
#include<pcap.h> #include<arpa/inet.h> struct ether_header { u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type; }; struct ip_header { #if defined(WORDS_BIGENDIAN) u_int8_t ip_version:4,ip_header_length:4; #else u_int8_t ip_header_length:4,ip_version:4; #endif u_int8_t ip_tos; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address; }; struct icmp_header { u_int8_t icmp_type; u_int8_t icmp_code; u_int16_t icmp_checksum; u_int16_t icmp_id; u_int16_t icmp_sequence; }; void icmp_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content) { struct icmp_header *icmp_protocol; icmp_protocol = (struct icmp_header*)(packet_content+14+20); printf("---------------- ICMP Protocol (Transport Layer) ------------------ "); printf("ICMP Type:%d ",icmp_protocol->icmp_type); switch(icmp_protocol->icmp_type) { case 8: printf("ICMP Echo Request Protocol "); printf("ICMP Code:%d ",icmp_protocol->icmp_code); printf("Identifier:%d ",icmp_protocol->icmp_id); printf("Sequence Number:%d ",icmp_protocol->icmp_sequence); break; case 0: printf("ICMP Echo Reply Protocol "); printf("ICMP Code:%d ",icmp_protocol->icmp_code); printf("Identifier:%d ",icmp_protocol->icmp_id); printf("Sequence Number:%d ",icmp_protocol->icmp_sequence); break; default: break; } printf("ICMP Checksum:%d ",ntohs(icmp_protocol->icmp_checksum)); } void ip_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content) { struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; printf("---------------------- IP Protocol (Network Layer) --------------------- "); ip_protocol = (struct ip_header*)(packet_content+14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length*4; tos = ip_protocol->ip_tos; offset = ntohs(ip_protocol->ip_off); printf("IP Version:%d ",ip_protocol->ip_version); printf("Header length:%d ",header_length); printf("TOS:%d ",tos); printf("Total length:%d ",ntohs(ip_protocol->ip_length)); printf("Identification:%d ",ntohs(ip_protocol->ip_id)); printf("Offset:%d ",(offset & 0x1fff) * 8); printf("TTL:%d ",ip_protocol->ip_ttl); printf("Protocol:%d ",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP "); break; case 17: printf("The Transport Layer Protocol is UDP "); break; case 1: printf("The Transport Layer Protocol is ICMP "); break; default: break; } printf("Header checksum:%d ",checksum); printf("Source address:%s ",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address:%s ",inet_ntoa(ip_protocol->ip_destination_address)); switch(ip_protocol->ip_protocol) { case 1: icmp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } } void ethernet_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content) { u_short ethernet_type; struct ether_header *ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf("****************************************************************************** "); printf("The %d ICMP packet is captured. ",packet_number); printf("------------------- Ethernet Protocol (Link Layer) ----------------------- "); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is: "); ethernet_type = ntohs(ethernet_protocol->ether_type); printf("%04x ",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol "); break; case 0x0806: printf("The network layer is ARP protocol "); break; case 0x8035: printf("The network layer is RARP protocol "); break; default: break; } printf("Mac Source Address is: "); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is: "); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("****************************************************************************** "); packet_number ++; } int main() { pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "icmp"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0; }
udp数据包捕获:
#include<pcap.h> #include<arpa/inet.h> struct ether_header { u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type; }; struct ip_header { #if defined(WORDS_BIGENDIAN) u_int8_t ip_version:4,ip_header_length:4; #else u_int8_t ip_header_length:4,ip_version:4; #endif u_int8_t ip_tos; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address; }; struct udp_header { u_int16_t udp_source_port; u_int16_t udp_destination_port; u_int16_t udp_length; u_int16_t udp_checksum; }; void udp_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content) { struct udp_header * udp_protocol; u_short source_port; u_short destination_port; u_short length; udp_protocol = (struct udp_header*)(packet_content+14+20); source_port = ntohs(udp_protocol->udp_source_port); destination_port = ntohs(udp_protocol->udp_destination_port); length = ntohs(udp_protocol->udp_length); printf("------------------------ UDP Protocol (Transprot Layer) ------------------ "); printf("Source port:%d ",source_port); printf("Destination port:%d ",destination_port); switch(destination_port) { case 138: printf("NETBIOS Datagram Service "); break; case 137: printf("NETBIOS Name Service "); break; case 139: printf("NETBIOS session service "); break; case 53: printf("name-domain service "); break; default: break; } printf("Length:%d ",length); printf("Checksum:%d ",ntohs(udp_protocol->udp_checksum)); } void ip_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content) { struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; printf("---------------------- IP Protocol (Network Layer) --------------------- "); ip_protocol = (struct ip_header*)(packet_content+14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length*4; tos = ip_protocol->ip_tos; offset = ntohs(ip_protocol->ip_off); printf("IP Version:%d ",ip_protocol->ip_version); printf("Header length:%d ",header_length); printf("TOS:%d ",tos); printf("Total length:%d ",ntohs(ip_protocol->ip_length)); printf("Identification:%d ",ntohs(ip_protocol->ip_id)); printf("Offset:%d ",(offset & 0x1fff) * 8); printf("TTL:%d ",ip_protocol->ip_ttl); printf("Protocol:%d ",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP "); break; case 17: printf("The Transport Layer Protocol is UDP "); break; case 1: printf("The Transport Layer Protocol is ICMP "); break; default: break; } printf("Header checksum:%d ",checksum); printf("Source address:%s ",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address:%s ",inet_ntoa(ip_protocol->ip_destination_address)); switch(ip_protocol->ip_protocol) { case 17: udp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } } void ethernet_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content) { u_short ethernet_type; struct ether_header *ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf("****************************************************************************** "); printf("The %d UDP packet is captured. ",packet_number); printf("------------------- Ethernet Protocol (Link Layer) ----------------------- "); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is: "); ethernet_type = ntohs(ethernet_protocol->ether_type); printf("%04x ",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol "); break; case 0x0806: printf("The network layer is ARP protocol "); break; case 0x8035: printf("The network layer is RARP protocol "); break; default: break; } printf("Mac Source Address is: "); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is: "); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("****************************************************************************** "); packet_number ++; } int main() { pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "udp"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0; }
tcp数据包捕获:
#include <pcap.h> #include<arpa/inet.h> struct ether_header { u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type; }; struct ip_header { #ifdef WORDS_BIGENDIAN u_int8_t ip_version:4,ip_header_length:4; #else u_int8_t ip_header_length:4,ip_version:4; #endif u_int8_t ip_tos_shuaifaliu; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address; }; struct tcp_header { u_int16_t tcp_source_port; u_int16_t tcp_destination_port; u_int32_t tcp_acknowledgement; u_int32_t tcp_ack; #ifdef WORDS_BIGENDIAN u_int8_t tcp_offset:4,tcp_reserved:4; #else u_int8_t tcp_reserved:4,tcp_offset:4; #endif u_int8_t tcp_flags; u_int16_t tcp_windows; u_int16_t tcp_checksum; u_int16_t tcp_urgent_pointer; }; void tcp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content) { struct tcp_header *tcp_protocol; u_char flags; int header_length; u_short source_port; u_short destination_port; u_short windows; u_short urgent_pointer; u_int sequence; u_int acknowledgement; u_int16_t checksum; tcp_protocol = (struct tcp_header*)(packet_content+14+20); source_port = ntohs(tcp_protocol->tcp_source_port); destination_port = ntohs(tcp_protocol->tcp_destination_port); header_length = tcp_protocol->tcp_offset * 4; sequence = ntohl(tcp_protocol->tcp_acknowledgement); acknowledgement = ntohl(tcp_protocol->tcp_ack); windows = ntohl(tcp_protocol->tcp_windows); urgent_pointer = ntohs(tcp_protocol->tcp_urgent_pointer); flags = tcp_protocol->tcp_flags; checksum = ntohs(tcp_protocol->tcp_checksum); printf("---------------------- TCP Protocol (Transport Layer) ------------------ "); printf("Source Port:%d ",source_port); printf("Destination Port:%d ",destination_port); switch(destination_port) { case 80: printf("HTTP protocol "); break; case 21: printf("FTP protocol "); break; case 23: printf("TELNET protocol "); break; case 25: printf("SMTP protocol "); break; case 110: printf("POP3 protocol "); break; default: break; } printf("Sequence Number:%u ",sequence); printf("Acknowledgement Number:%u ",acknowledgement); printf("Header Length:%d ",header_length); printf("Reserved:%d ",tcp_protocol->tcp_reserved); printf("Flags:"); if(flags & 0x08) printf("PSH "); if(flags & 0x10) printf("ACK "); if(flags & 0x02) printf("SYN "); if(flags & 0x20) printf("URG "); if(flags & 0x01) printf("FIN "); if(flags & 0x04) printf("RST "); printf(" "); printf("Windows Size:%d ",windows); printf("Checksum:%d ",checksum); printf("Urgent pointer:%d ",urgent_pointer); } void ip_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content) { struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; printf("--------------- IP Protocol (Nework Layer) ---------------- "); ip_protocol = (struct ip_header*)(packet_content +14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length*4; tos = ip_protocol->ip_tos_shuaifaliu; offset = ntohs(ip_protocol->ip_off); printf("IP Version: %d ",ip_protocol->ip_version); printf("Header length:%d ",header_length); printf("TOS:%d ",tos); printf("Total length:%d ",ntohs(ip_protocol->ip_length)); printf("Identification:%d ",ntohs(ip_protocol->ip_id)); printf("Offset:%d ",(offset & 0x1fff) * 8); printf("TTL:%d ",ip_protocol->ip_ttl); printf("Protocol: %d ",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP "); break; case 17: printf("The Transport Layer Protocol is UDP "); break; case 1: printf("The Transport Layer Protocol is ICMP "); break; default: break; } printf("Header checksum:%d ",checksum); printf("Source address:%s ",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address:%s ",inet_ntoa(ip_protocol->ip_destination_address)); switch(ip_protocol->ip_protocol) { case 6: tcp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } } void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content) { u_short ethernet_type; struct ether_header *ethernet_protocol; u_char * mac_string; static int packet_number = 1; printf("*************************************************************** "); printf("The %d TCP packet is captured. ",packet_number); printf("----------- Ethernet Protocol (Link Layer) ------------------ "); ethernet_protocol = (struct ether_header*)packet_content; printf("Ethernet type is: "); ethernet_type = ntohs(ethernet_protocol->ether_type); printf("%04x ",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol "); break; case 0x0806: printf("The newwork layer is ARP protocol "); break; case 0x8035: printf("The network layer is RARP protocol "); break; default: break; } printf("Mac Source Address is: "); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is: "); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("*********************************************************************************** "); packet_number ++; } int main() { pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = "tcp"; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0; }
一个简单的捕获程序:(icmp,tcp,udp,ip,arp)
#include <pcap.h> #include <arpa/inet.h> #include <string.h> struct ether_header { u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type; }; struct arp_header { u_int16_t arp_hardware_type; u_int16_t arp_protocol_type; u_int8_t arp_hardware_length; u_int8_t arp_protocol_length; u_int16_t arp_operation_code; u_int8_t arp_source_ethernet_address[6]; u_int8_t arp_source_ip_address[4]; u_int8_t arp_destination_ethernet_address[6]; u_int8_t arp_destination_ip_address[4]; }; struct ip_header { #if defined(WORDS_BIGENDIAN) u_int8_t ip_version:4,ip_header_length:4; #else u_int8_t ip_header_length:4,ip_version:4; #endif u_int8_t ip_tos; u_int16_t ip_length; u_int16_t ip_id; u_int16_t ip_off; u_int8_t ip_ttl; u_int8_t ip_protocol; u_int16_t ip_checksum; struct in_addr ip_source_address; struct in_addr ip_destination_address; }; struct udp_header { u_int16_t udp_source_port; u_int16_t udp_destination_port; u_int16_t udp_length; u_int16_t udp_checksum; }; struct tcp_header { u_int16_t tcp_source_port; u_int16_t tcp_destination_port; u_int32_t tcp_acknowledgement; u_int32_t tcp_ack; #ifdef WORDS_BIGENDIAN u_int8_t tcp_offset:4,tcp_reserved:4; #else u_int8_t tcp_reserved:4,tcp_offset:4; #endif u_int8_t tcp_flags; u_int16_t tcp_windows; u_int16_t tcp_checksum; u_int16_t tcp_urgent_pointer; }; struct icmp_header { u_int8_t icmp_type; u_int8_t icmp_code; u_int16_t icmp_checksum; u_int16_t icmp_id; u_int16_t icmp_sequence; }; void tcp_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content) { struct tcp_header *tcp_protocol; u_char flags; int header_length; u_short source_port; u_short destination_port; u_short windows; u_short urgent_pointer; u_int sequence; u_int acknowledgement; u_int16_t checksum; tcp_protocol = (struct tcp_header*)(packet_content+14+20); source_port = ntohs(tcp_protocol->tcp_source_port); destination_port = ntohs(tcp_protocol->tcp_destination_port); header_length = tcp_protocol->tcp_offset*4; sequence = ntohl(tcp_protocol->tcp_acknowledgement); acknowledgement = ntohl(tcp_protocol->tcp_ack); windows = ntohs(tcp_protocol->tcp_windows); urgent_pointer = ntohs(tcp_protocol->tcp_urgent_pointer); flags = tcp_protocol->tcp_flags; checksum = ntohs(tcp_protocol->tcp_checksum); printf("---------------- TCP Protocol (Transport Layer) ------------------ "); printf("Source Port: %d ",source_port); printf("Destination Port: %d ",destination_port); switch(destination_port) { case 80: printf("HTTP protocol "); break; case 21: printf("FTP protocol "); break; case 23: printf("TELNET protocol "); break; case 25: printf("SMTP protocol "); break; case 110: printf("POP3 protocol "); break; default: break; } printf("Sequence Number:%u ",sequence); printf("Acknowledgement Number:%u ",acknowledgement); printf("Header Length:%d ",header_length); printf("Reserved: %d ",tcp_protocol->tcp_reserved); printf("Flags: "); if(flags & 0x08) printf("PSH "); if(flags & 0x10) printf("ACK "); if(flags & 0x02) printf("SYN "); if(flags & 0x20) printf("URG "); if(flags & 0x01) printf("FIN "); if(flags & 0x04) printf("RST "); printf(" "); printf("Windows Size: %d ",windows); printf("Checksum: %d ",checksum); printf("Urgent pointer: %d ",urgent_pointer); } void udp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content) { struct udp_header *udp_protocol; u_short source_port; u_short destination_port; u_short length; udp_protocol = (struct udp_header *)(packet_content+14+20); source_port = ntohs(udp_protocol->udp_source_port); destination_port = ntohs(udp_protocol->udp_destination_port); length = ntohs(udp_protocol -> udp_length); printf("------------------- UDP Protocol (Transport Layer) ---------------------- "); printf("Source port: %d ",source_port); printf("Destination port: %d ",destination_port); switch(destination_port) { case 138: printf("NETBIOS Datagram Service "); break; case 137: printf("NETBIOS Name Service "); break; case 139: printf("NETBIOS session service "); break; case 53: printf("name-domain service "); break; default: break; } printf("Length: %d ",length); printf("Checksum: %d ",ntohs(udp_protocol->udp_checksum)); } void icmp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char *packet_content) { struct icmp_header *icmp_protocol; icmp_protocol = (struct icmp_header *)(packet_content + 14 + 20); printf("------------------- ICMP Protocol (Transport Layer) --------------------- "); printf("ICMP Type: %d ",icmp_protocol->icmp_type); switch(icmp_protocol->icmp_type) { case 8: printf("ICMP Echo Request Protocol "); printf("ICMP Code: %d ",icmp_protocol->icmp_code); printf("Identifier: %d ",icmp_protocol->icmp_id); printf("Sequence Number: %d ",icmp_protocol->icmp_sequence); break; case 0: printf("ICMP Echo Reply Protocol "); printf("ICMP Code: %d ",icmp_protocol->icmp_code); printf("Identifier: %d ",icmp_protocol->icmp_id); printf("Sequence Number: %d ",icmp_protocol->icmp_sequence); break; default: break; } printf("ICMP Checksum: %d ",ntohs(icmp_protocol->icmp_checksum)); } void arp_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content) { struct arp_header *arp_protocol; u_short protocol_type; u_short hardware_type; u_short operation_code; u_char *mac_string; struct in_addr source_ip_address; struct in_addr destination_ip_address; u_char hardware_length; u_char protocol_length; printf("-------------------- ARP Protocol (Network Layer) -------------------- "); arp_protocol = (struct arp_header *)(packet_content+14); hardware_type = ntohs(arp_protocol->arp_hardware_type); protocol_type = ntohs(arp_protocol->arp_protocol_type); operation_code = ntohs(arp_protocol->arp_operation_code); hardware_length = arp_protocol->arp_hardware_length; protocol_length = arp_protocol->arp_protocol_length; printf("ARP Hardware Type: %d ",hardware_type); printf("ARP Protocol Type: %d ",protocol_type); printf("ARP Hardware Length: %d ",hardware_length); printf("ARP Protocol Length: %d ",protocol_length); printf("ARP Operation: %d ",operation_code); switch(operation_code) { case 1: printf("ARP Request Protocol "); break; case 2: printf("ARP Reply Protocol "); break; case 3: printf("RARP Request Protocol "); break; case 4: printf("RARP Reply Protocol "); break; default: break; } printf("Ethernet Source Address is : "); mac_string = arp_protocol->arp_source_ethernet_address; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); memcpy((void*)&source_ip_address,(void*)&arp_protocol->arp_source_ip_address,sizeof(struct in_addr)); printf("Source IP Address: %s ",inet_ntoa(source_ip_address)); printf("Ethernet Destination Address is: "); mac_string = arp_protocol->arp_destination_ethernet_address; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); memcpy((void *)&destination_ip_address,(void*)&arp_protocol->arp_destination_ip_address,sizeof(struct in_addr)); printf("Destination IP Address: %s ",inet_ntoa(destination_ip_address)); } void ip_protocol_packet_callback(u_char*argument,const struct pcap_pkthdr*packet_header,const u_char*packet_content) { struct ip_header *ip_protocol; u_int header_length; u_int offset; u_char tos; u_int16_t checksum; ip_protocol = (struct ip_header*)(packet_content+14); checksum = ntohs(ip_protocol->ip_checksum); header_length = ip_protocol->ip_header_length*4; tos = ip_protocol->ip_tos; offset = ntohs(ip_protocol->ip_off); printf("----------------- IP Protocol (Network Layer) ------------------ "); printf("IP Version: %d ",ip_protocol->ip_version); printf("Header length: %d ",header_length); printf("TOS: %d ",tos); printf("Total length: %d ",ntohs(ip_protocol->ip_length)); printf("Identification: %d ",ntohs(ip_protocol->ip_id)); printf("Offset: %d ",(offset & 0x1fff) * 8); printf("TTL: %d ",ip_protocol->ip_ttl); printf("Protocol: %d ",ip_protocol->ip_protocol); switch(ip_protocol->ip_protocol) { case 6: printf("The Transport Layer Protocol is TCP "); break; case 17: printf("The Transport Layer Protocol is UDP "); break; case 1: printf("The Transport Layer Protocol is ICMP "); break; default: break; } printf("Header checksum: %d ",checksum); printf("Source address: %s ",inet_ntoa(ip_protocol->ip_source_address)); printf("Destination address: %s ",inet_ntoa(ip_protocol->ip_destination_address)); switch(ip_protocol->ip_protocol) { case 6: tcp_protocol_packet_callback(argument,packet_header,packet_content); break; case 17: udp_protocol_packet_callback(argument,packet_header,packet_content); break; case 1: icmp_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } } void ethernet_protocol_packet_callback(u_char *argument,const struct pcap_pkthdr*packet_header,const u_char* packet_content) { u_short ethernet_type; struct ether_header * ethernet_protocol; u_char *mac_string; static int packet_number = 1; printf(" **************************************************************************************** "); printf("The %d packet is captured. ",packet_number); printf("------------------------- Ethernet Protocol (Link Layer) ---------------------------- "); ethernet_protocol = (struct ether_header *)packet_content; printf("Ethernet type is: "); ethernet_type = ntohs(ethernet_protocol -> ether_type); printf("%04x ",ethernet_type); switch(ethernet_type) { case 0x0800: printf("The network layer is IP protocol "); break; case 0x0806: printf("The network layer is ARP protocol "); break; case 0x8035: printf("The network layer is RARP protocol "); break; default: break; } printf("Mac Source Address is : "); mac_string = ethernet_protocol->ether_shost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); printf("Mac Destination Address is: "); mac_string = ethernet_protocol->ether_dhost; printf("%02x:%02x:%02x:%02x:%02x:%02x ",*mac_string,*(mac_string+1), *(mac_string+2),*(mac_string+3), *(mac_string+4),*(mac_string+5)); switch(ethernet_type) { case 0x0806: arp_protocol_packet_callback(argument,packet_header,packet_content); break; case 0x0800: ip_protocol_packet_callback(argument,packet_header,packet_content); break; default: break; } printf("**************************************************************************************** "); packet_number ++; } int main() { pcap_t *pcap_handle; char error_content[PCAP_ERRBUF_SIZE]; char *net_interface; struct bpf_program bpf_filter; char bpf_filter_string[] = ""; bpf_u_int32 net_mask; bpf_u_int32 net_ip; net_interface = pcap_lookupdev(error_content); pcap_lookupnet(net_interface,&net_ip,&net_mask,error_content); pcap_handle = pcap_open_live(net_interface,BUFSIZ,1,0,error_content); pcap_compile(pcap_handle,&bpf_filter,bpf_filter_string,0,net_ip); pcap_setfilter(pcap_handle,&bpf_filter); if(pcap_datalink(pcap_handle) != DLT_EN10MB) return -1; pcap_loop(pcap_handle,-1,ethernet_protocol_packet_callback,NULL); pcap_close(pcap_handle); return 0; }
常用函数就那几个,过程基本上一样,原理差不多