1

我有以下用于分析端口 80 上的数据的 C 代码:

#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <event.h>


void callback(u_char *useless,const struct pcap_pkthdr* header,const u_char* packet){
    //How do I look inside the packet and the header????
    static int count = 1;
    fprintf(stdout,"%d, ",count);
    fflush(stdout);
    count++;
}
int main(void) {
    pcap_t *handle;                 /* Session handle */
    char dev[] = "eth0";            /* Device to sniff on */
    char errbuf[PCAP_ERRBUF_SIZE];  /* Error string */
    struct bpf_program fp;          /* The compiled filter expression */
    char filter_exp[] = "port 80";  /* The filter expression */
    bpf_u_int32 mask;               /* The netmask of our sniffing device */
    bpf_u_int32 net;                /* The IP of our sniffing device */

    if(pcap_lookupnet(dev,&net,&mask,errbuf)==-1){
        fprintf(stderr, "Can't get netmask for device %s\n", dev);
        net = 0;
        mask = 0;
    }
    handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);
    if (handle == NULL) {
        fprintf(stderr, "Couldn't open device %s: %s\n", dev, errbuf);
        return(2);
    }
    if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
        fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
        return(2);
    }
    if (pcap_setfilter(handle, &fp) == -1) {
        fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
        return(2);
    }

    /*Actual sniffing*/
    pcap_loop(handle,-1,callback,NULL);

    return 0;
}

我正在尝试查看标头内部以获取源地址和目标地址。并尝试查看数据包内部以获取有效负载。我该怎么做呢?我似乎无法在网上找到任何 API。

提前谢谢了,

4

1 回答 1

1

在你的callback函数中,你可以有这样的东西(假设 TCP/IP over ethernet,在 Linux 上):

#include <netinet/ip.h>
#include <netinet/tcp.h>

const uint16_t ETHER_TYPE_IP = 0x0800;
const size_t ETHER_TYPE_OFFSET = 12;
const size_t ETHER_IP_OFFSET = 14;
const uint8_t IP_PROTO_TCP = 0x06;

uint16_t ether_type = ntohs(*((const uint16_t*) (packet + ETHER_TYPE_OFFSET)));

if (ether_type == ETHER_TYPE_IP) {
    const struct ip* ip_header = (const struct ip*) (packet + ETHER_IP_OFFSET);

    const unsigned char* ip_data = ((const unsigned char*) ip_header) + (ip_header->ip_hl << 2);
    uint16_t ip_data_len = ntohs(ip_header->ip_len) - (ip_header->ip_hl << 2);

    if (ip_header->ip_p == IP_PROTO_TCP) {
        const struct tcphdr* tcp_header = (const struct tcphdr*) ip_data;

        const unsigned char* data = ((const unsigned char*) tcp_header) + (tcp_header->doff << 2);
        uint16_t data_len = ip_data_len - (tcp_header->doff << 2);

        /* do something with the data here ... */
    }
}
于 2011-07-27T11:41:13.577 回答