winpcap擒获数据包

2012-09-25

winpcap捕获数据包//技术手册：http://www.ferrisxu.com/WinPcap/html/index.html???当我们过滤掉：以太头,i

winpcap捕获数据包

//技术手册：http://www.ferrisxu.com/WinPcap/html/index.html

当我们过滤掉：以太头,ip,tcp/udp 之后就是我们需要的数据包的内容了

源代码：

#include "stdafx.h"
#include<iostream>
using namespace std;
#include <pcap.h>
using namespace std;
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <net.h>
#pragma comment(lib,"ws2_32.lib")
#define MAX_PRINT 80
#define MAX_LINE 16

#pragma once

typedef unsigned char u_int8_t;
typedef unsigned short int u_int16_t;
typedef unsigned int u_int32_t;
#define? ETH_ALEN 6

struct iphdr
{
#if __BYTE_ORDER == __LITTLE_ENDIAN
?unsigned int ihl:4;
?unsigned int version:4;
#elif __BYTE_ORDER == __BIG_ENDIAN
?unsigned int version:4;
?unsigned int ihl:4;
#else
# error "Please fix <bits/endian.h>"
#endif
?u_int8_t tos;
?u_int16_t tot_len;
?u_int16_t id;
?u_int16_t frag_off;
?u_int8_t ttl;
?u_int8_t protocol;
?u_int16_t check;
?u_int32_t saddr;
?u_int32_t daddr;
?/*The options start here. */
};

# ifdef __FAVOR_BSD
typedef u_int32_t tcp_seq;
/*
* TCP header.
* Per RFC 793, September, 1981.
*/
struct tcphdr
{
?u_int16_t th_sport;???????? /* source port */
?u_int16_t th_dport;???????? /* destination port */
?tcp_seq th_seq;???????????? /* sequence number */
?tcp_seq th_ack;???????????? /* acknowledgement number */
#? if __BYTE_ORDER == __LITTLE_ENDIAN
?u_int8_t th_x2:4;?????????? /* (unused) */
?u_int8_t th_off:4;????????? /* data offset */
#? endif
#? if __BYTE_ORDER == __BIG_ENDIAN
?u_int8_t th_off:4;????????? /* data offset */
?u_int8_t th_x2:4;?????????? /* (unused) */
#? endif
?u_int8_t th_flags;
#? define TH_FIN??????? 0x01
#? define TH_SYN??????? 0x02
#? define TH_RST??????? 0x04
#? define TH_PUSH?????? 0x08
#? define TH_ACK??????? 0x10
#? define TH_URG??????? 0x20
?u_int16_t th_win;?????????? /* window */
?u_int16_t th_sum;?????????? /* checksum */
?u_int16_t th_urp;?????????? /* urgent pointer */
};

# else /* !__FAVOR_BSD */
struct tcphdr
{
?u_int16_t source;
?u_int16_t dest;
?u_int32_t seq;
?u_int32_t ack_seq;
#? if __BYTE_ORDER == __LITTLE_ENDIAN
?u_int16_t res1:4;
?u_int16_t doff:4;
?u_int16_t fin:1;
?u_int16_t syn:1;
?u_int16_t rst:1;
?u_int16_t psh:1;
?u_int16_t ack:1;
?u_int16_t urg:1;
?u_int16_t res2:2;
#? elif __BYTE_ORDER == __BIG_ENDIAN
?u_int16_t doff:4;
?u_int16_t res1:4;
?u_int16_t res2:2;
?u_int16_t urg:1;
?u_int16_t ack:1;
?u_int16_t psh:1;
?u_int16_t rst:1;
?u_int16_t syn:1;
?u_int16_t fin:1;
#? else
#?? error "Adjust your <bits/endian.h> defines"
#? endif
?u_int16_t window;
?u_int16_t check;
?u_int16_t urg_ptr;
};
#endif

#define ETH_P_802_3???? 0x0001????????? /* Dummy type for 802.3 frames? */
#define ETH_P_AX25????? 0x0002????????? /* Dummy protocol id for AX.25? */
#define ETH_P_ALL?????? 0x0003????????? /* Every packet (be careful!!!) */
#define ETH_P_802_2???? 0x0004????????? /* 802.2 frames???????????????? */
#define ETH_P_SNAP????? 0x0005????????? /* Internal only??????????????? */
#define ETH_P_DDCMP???? 0x0006????????? /* DEC DDCMP: Internal only???? */
#define ETH_P_WAN_PPP?? 0x0007????????? /* Dummy type for WAN PPP frames*/
#define ETH_P_PPP_MP??? 0x0008????????? /* Dummy type for PPP MP frames */
#define ETH_P_LOCALTALK 0x0009????????? /* Localtalk pseudo type??????? */
#define ETH_P_CAN?????? 0x000C????????? /* Controller Area Network????? */
#define ETH_P_PPPTALK?? 0x0010????????? /* Dummy type for Atalk over PPP*/
#define ETH_P_TR_802_2? 0x0011????????? /* 802.2 frames???????????????? */
#define ETH_P_MOBITEX?? 0x0015????????? /* Mobitex (kaz@cafe.net)?????? */
#define ETH_P_CONTROL?? 0x0016????????? /* Card specific control frames */
#define ETH_P_IRDA????? 0x0017????????? /* Linux-IrDA?????????????????? */
#define ETH_P_ECONET??? 0x0018????????? /* Acorn Econet???????????????? */
#define ETH_P_HDLC????? 0x0019????????? /* HDLC frames????????????????? */
#define ETH_P_ARCNET??? 0x001A????????? /* 1A for ArcNet :-)??????????? */
struct ethhdr {
?unsigned char?? h_dest[ETH_ALEN];?????? /* destination eth addr */
?unsigned char?? h_source[ETH_ALEN];???? /* source ether addr??? */
?u_int16_t????????? h_proto;??????????????? /* packet type ID field */
} ;

/* 4字节的IP地址 */
typedef struct ip_address{
??? u_char byte1;
??? u_char byte2;
??? u_char byte3;
??? u_char byte4;
}ip_address;

/* IPv4 首部 */
typedef struct ip_header{
??? u_char? ver_ihl;??????? // 版本 (4 bits) + 首部长度 (4 bits)
??? u_char? tos;??????????? // 服务类型(Type of service)
??? u_short tlen;?????????? // 总长(Total length)
??? u_short identification; // 标识(Identification)
??? u_short flags_fo;?????? // 标志位(Flags) (3 bits) + 段偏移量(Fragment offset) (13 bits)
??? u_char? ttl;??????????? // 存活时间(Time to live)
??? u_char? proto;????????? // 协议(Protocol)
??? u_short crc;??????????? // 首部校验和(Header checksum)
??? ip_address? saddr;????? // 源地址(Source address)
??? ip_address? daddr;????? // 目的地址(Destination address)
??? u_int?? op_pad;???????? // 选项与填充(Option + Padding)
}ip_header;

/* UDP 首部*/
typedef struct udp_header{
??? u_short sport;????????? // 源端口(Source port)
??? u_short dport;????????? // 目的端口(Destination port)
??? u_short len;??????????? // UDP数据包长度(Datagram length)
??? u_short crc;??????????? // 校验和(Checksum)
}udp_header;

/* packet handler 函数原型 */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);

int main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
pcap_t *adhandle;
char errbuf[PCAP_ERRBUF_SIZE];
u_int netmask;
char packet_filter[] = "dst host 192.168.0.1";//过了条件port 20 and ip and tcp dst host 127.0.0.1
struct bpf_program fcode;

?? ?
??? /* 获取本机设备列表 */
??? if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1)
??? {
??????? fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
??????? exit(1);
??? }
?? ?
??? /* 打印列表 */
??? for(d=alldevs; d; d=d->next)
??? {
??????? printf("%d. %s", ++i, d->name);
??????? if (d->description)
??????????? printf(" (%s)\n", d->description);
??????? else
??????????? printf(" (No description available)\n");
??? }
?? ?
??? if(i==0)
??? {
??????? printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
??????? return -1;
??? }
?? ?
??? printf("Enter the interface number (1-%d):",i);
??? scanf("%d", &inum);
?? ?
??? if(inum < 1 || inum > i)
??? {
??????? printf("\nInterface number out of range.\n");
??????? /* 释放设备列表 */
??????? pcap_freealldevs(alldevs);
??????? return -1;
??? }
?? ?
??? /* 跳转到选中的适配器 */
??? for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
?? ?
??? /* 打开设备 */
??? if ( (adhandle= pcap_open(d->name,????????? // 设备名
????????????????????????????? 65536,??????????? // 65535保证能捕获到不同数据链路层上的每个数据包的全部内容
?? ???? ??? ??? ??? ??? ??? ???? PCAP_OPENFLAG_NOCAPTURE_RPCAP,//PCAP_OPENFLAG_PROMISCUOUS,??? // 混杂模式
????????????????????????????? 1000,???????????? // 读取超时时间
????????????????????????????? NULL,???????????? // 远程机器验证
????????????????????????????? errbuf??????????? // 错误缓冲池
????????????????????????????? ) ) == NULL)
??? {
??????? fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);
??????? /* 释放设备列表 */
??????? pcap_freealldevs(alldevs);
??????? return -1;
??? }
?? ?

?? ?? /* 检查数据链路层，为了简单，我们只考虑以太网 */
??? if(pcap_datalink(adhandle) != DLT_EN10MB)
??? {
??????? fprintf(stderr,"\nThis program works only on Ethernet networks.\n");
??????? /* 释放设备列表 */
??????? pcap_freealldevs(alldevs);
??????? return -1;
??? }
?? ?
??? if(d->addresses != NULL)
??????? /* 获得接口第一个地址的掩码 */
??????? netmask=((struct sockaddr_in *)(d->addresses->netmask))->sin_addr.S_un.S_addr;
??? else
??????? /* 如果接口没有地址，那么我们假设一个C类的掩码 */
??????? netmask=0xffffff;

??? //编译过滤器
??? if (pcap_compile(adhandle, &fcode, packet_filter, 1, netmask) <0 )
??? {
??????? fprintf(stderr,"\nUnable to compile the packet filter. Check the syntax.\n");
??????? /* 释放设备列表 */
??????? pcap_freealldevs(alldevs);
??????? return -1;
??? }
?? ?
??? //设置过滤器
??? if (pcap_setfilter(adhandle, &fcode)<0)
??? {
??????? fprintf(stderr,"\nError setting the filter.\n");
??????? /* 释放设备列表 */
??????? pcap_freealldevs(alldevs);
??????? return -1;
??? }
?? ?

??? printf("\nlistening on %s...\n", d->description);
?? ?
??? /* 释放设备列表 */
??? pcap_freealldevs(alldevs);
?? ?
??? /* 开始捕获 */
??? pcap_loop(adhandle, 0, packet_handler, NULL);
?? ?
??? return 0;
}

/* 每次捕获到数据包时，libpcap都会自动调用这个回调函数 */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
??? /*struct tm *ltime;
??? char timestr[16];
??? time_t local_tv_sec;
?? ?
??? // 将时间戳转换成可识别的格式
??? local_tv_sec = header->ts.tv_sec;
??? ltime=localtime(&local_tv_sec);
??? strftime( timestr, sizeof timestr, "%H:%M:%S", ltime);
?? ?
??? printf("%s,%.6d len:%d\n", timestr, header->ts.tv_usec, header->len);*/

?? ?struct tm *ltime;
?? ?struct iphdr *ip;
?? ?struct ethhdr *eth;
?? ?struct tcphdr *tcp;

??? char timestr[16];
??? ip_header *ih;
??? udp_header *uh;
??? u_int ip_len;
??? u_short sport,dport;
??? time_t local_tv_sec;
?? ?
?? ?
?? ?pkt_data=(pkt_data + sizeof(struct ethhdr) + sizeof(struct iphdr)+sizeof(struct tcphdr))-4;//-4 表示移动32位
?? ?
?? ?const char* target="corporation/login_corporation.yizhi?method=verify";
?? ?
?? ?if(!(strstr((char*)pkt_data,target)))
?? ?{
?? ???? return;
?? ?}

?? ?if()

?? ???? oa/corporation/login_corporation.yizhi?method=verify
?? ?cout<<pkt_data<<endl;

?? ?

}

热点排行

其他数据库

winpcap擒获数据包