使用WinPcap抓取各種包
使用WinPcap抓各種包
#include<stdio.h>
#include<iostream>
#defineHAVE_REMOTE
#include"pcap.h"
#include"remote-ext.h"
#pragmacomment(lib,"Ws2_32.lib")
#pragmacomment(lib,"wpcap.lib")
usingnamespace std;
FILE*fp;
// 以太網協定格式的定義
typedefstructether_header {
u_char ether_dhost[6]; // 目标位址
u_char ether_shost[6]; // 源位址
u_short ether_type; // 以太網類型
}ether_header;
// 使用者儲存4位元組的IP位址
typedefstructip_address {
u_char byte1;
u_char byte2;
u_char byte3;
u_char byte4;
}ip_address;
// 用于儲存IPV4的首部
typedefstructip_header{
#ifdefWORDS_BIGENDIAN
u_char ip_version : 4, header_length :4;
#else
u_char header_length : 4, ip_version : 4;
#endif
u_char ver_ihl; // 版本以及首部長度,各4位
u_char tos; // 服務品質
u_short tlen; // 總長度
u_short identification; // 身份識别
u_short offset; // 分組偏移
u_char ttl; // 生命周期
u_char proto; // 協定類型
u_short checksum; // 標頭測驗碼
ip_address saddr; //源IP位址
ip_address daddr; //目的IP位址
u_int op_pad; //可選填充字段
}ip_header;
// 儲存TCP首部
typedefstructtcp_header {
u_short sport;
u_short dport;
u_int sequence; // 序列碼
u_int ack; // 回複碼
#ifdefWORDS_BIGENDIAN
u_char offset : 4, reserved : 4; //偏移預留
#else
u_char reserved : 4, offset : 4; // 預留偏移
#endif
u_char flags; // 标志
u_short windows; // 視窗大小
u_short checksum; // 校驗和
u_short urgent_pointer; // 緊急指針
}tcp_header;
typedefstructudp_header {
u_int32_t sport; // 源端口
u_int32_t dport; // 目标端口
u_int8_t zero; // 保留位
u_int8_t proto; // 協定辨別
u_int16_t datalen; // UDP資料長度
}udp_header;
typedefstructicmp_header {
u_int8_t type; // ICMP類型
u_int8_t code; // 代碼
u_int16_t checksum; // 校驗和
u_int16_t identification; // 辨別
u_int16_t sequence; // 序列号
u_int32_t init_time; // 發起時間戳
u_int16_t recv_time; // 接受時間戳
u_int16_t send_time; // 傳輸時間戳
}icmp_header;
typedefstructarp_header {
u_int16_t arp_hardware_type;
u_int16_t arp_protocol_type;
u_int8_t arp_hardware_length;
u_int8_t arp_protocol_length;
u_int16_t arp_operation_code;
u_int8_t arp_source_ethernet_address[6];
u_int8_t arp_source_ip_address[4];
u_int8_t arp_destination_ethernet_address[6];
u_int8_t arp_destination_ip_address[4];
}arp_header;
voidtcp_protocol_packet_handle(
u_char *argument,
conststructpcap_pkthdr *packet_header,
constu_char *packet_content
) {
structtcp_header*tcp_protocol;
u_short sport;
u_short dport;
int header_length;
u_short windows;
u_short urgent_pointer;
u_int sequence;
u_int acknowledgement;
u_short checksum;
u_char flags;
printf("===========TCP Protocol===========\n");
tcp_protocol = (structtcp_header*)(packet_content + 14 + 20);
sport = ntohs(tcp_protocol->sport);
dport = ntohs(tcp_protocol->dport);
header_length = tcp_protocol->offset *4;
sequence =ntohl(tcp_protocol->sequence);
acknowledgement =ntohl(tcp_protocol->ack);
windows =ntohs(tcp_protocol->windows);
urgent_pointer =ntohs(tcp_protocol->urgent_pointer);
flags = tcp_protocol->flags;
checksum =ntohs(tcp_protocol->checksum);
fprintf(fp, "%d0%d%d%c%d", header_length, sport, dport,flags, windows);
switch(dport) {
default:
break;
}
if(flags & 0x08) printf("PSH");
if(flags & 0x10) printf("ACK");
if(flags & 0x02) printf("SYN");
if(flags & 0x20) printf("URG");
if(flags & 0x01) printf("FIN");
if(flags & 0x04) printf("RST");
printf("\n");
}
voidudp_protocol_packet_handle(
u_char *argument,
conststructpcap_pkthdr *packet_header,
constu_char *packet_content
) {
structudp_header*udp_protocol;
u_short sport;
u_short dport;
u_short datalen;
udp_protocol = (structudp_header*)(packet_content + 14 + 20);
sport = ntohs(udp_protocol->sport);
dport = ntohs(udp_protocol->dport);
datalen =ntohs(udp_protocol->datalen);
fprintf(fp, "0%d%d%d",datalen, sport, dport);
}
voidarp_protocol_packet_handle(
u_char *argument,
conststructpcap_pkthdr *packet_header,
constu_char *packet_content
) {
structarp_header*arp_protocol;
u_short protocol_type;
u_short hardware_type;
u_short operation_code;
u_char hardware_length;
u_char protocol_length;
structtm* ltime;
char timestr[16];
time_t local_tv_sec;
local_tv_sec = packet_header->ts.tv_sec;
ltime = localtime(&local_tv_sec);
strftime(timestr, sizeof(timestr), "%H:%M:%S", ltime);
printf("-------- ARP協定 --------\n");
arp_protocol = (structarp_header*)(packet_content + 14);
hardware_type =ntohs(arp_protocol->arp_hardware_type);
protocol_type =ntohs(arp_protocol->arp_protocol_type);
operation_code =ntohs(arp_protocol->arp_operation_code);
hardware_length =arp_protocol->arp_hardware_length;
protocol_length =arp_protocol->arp_protocol_length;
fprintf(fp, "%d%s", protocol_length, timestr);
switch (operation_code)
{
case 1:
printf("ARP請求協定\n");
break;
case 2:
printf("ARP應答協定\n");
break;
case 3:
printf("RARP請求協定\n");
break;
case 4:
printf("RARP應答協定\n");
break;
default:
break;
}
}
voidicmp_protocol_packet_handle(
u_char *argument,
conststructpcap_pkthdr *packet_header,
constu_char *packet_content
) {
structicmp_header*icmp_protocol;
u_short type;
u_short datalen;
u_int init_time;
u_int recv_time;
u_int send_time;
icmp_protocol = (structicmp_header*)(packet_content + 14 + 20);
datalen = sizeof(icmp_protocol);
type = icmp_protocol->type;
init_time =icmp_protocol->init_time;
recv_time =icmp_protocol->recv_time;
send_time =icmp_protocol->send_time;
fprintf(fp, "%d%c%d%d%d", datalen, type, init_time,recv_time, send_time);
// printf("===========ICMPProtocol==========\n");
switch(icmp_protocol->type) {
case 8:
//回應要求封包
break;
case 0:
//回應答覆封包
break;
default:
break;
}
}
voidip_protocol_packet_handle(
u_char *argument,
conststructpcap_pkthdr *packet_header,
constu_char *packet_content
) {
structip_header*ip_protocol;
u_int header_length;
u_char tos;
u_short checksum;
ip_address saddr;
ip_address daddr;
u_char ttl;
u_short tlen;
u_short identification;
u_short offset;
printf("===========IP Protocol===========\n");
ip_protocol = (structip_header*)(packet_content + 14);
header_length =ip_protocol->header_length * 4;
checksum =ntohs(ip_protocol->checksum);
tos = ip_protocol->tos;
offset =ntohs(ip_protocol->offset);
saddr = ip_protocol->saddr;
daddr = ip_protocol->daddr;
ttl = ip_protocol->ttl;
identification =ip_protocol->identification;
tlen = ip_protocol->tlen;
offset = ip_protocol->offset;
fprintf(fp, "%d%d%c%d%d%d", saddr, daddr, ttl,identification, tlen, offset);
switch(ip_protocol->proto) {
case 6:
tcp_protocol_packet_handle(argument, packet_header, packet_content);
break;
case 17:
udp_protocol_packet_handle(argument, packet_header, packet_content);
break;
case 1:
icmp_protocol_packet_handle(argument, packet_header, packet_content);
break;
default:
break;
}
}
voidethernet_protocol_packet_handle (
u_char *argument,
conststructpcap_pkthdr *packet_header,
constu_char *packet_content
) {
u_short ethernet_type; // 以太網類型
structether_header*ethernet_protocol; // 以太網協定變量
u_char *mac_string; // 以太網位址
ethernet_protocol = (structether_header*)packet_content; //擷取以太網資料内容
printf("Ethernet type is : \n");
ethernet_type =ntohs(ethernet_protocol->ether_type); // 擷取以太網類型
printf(" %04x\n", ethernet_type);
switch(ethernet_type) {
case 0x0800:
printf("The network layer is IP protocol\n");
break;
case 0x0806:
printf("The network layer is ARP protocol\n");
break;
default:
break;
}
// 擷取以太網源位址
// printf("MAC Source Address is :\n");
mac_string =ethernet_protocol->ether_shost;
fprintf(fp, "%02x:%02x:%02x:%02x:%02x:%02x",
*mac_string,
*(mac_string + 1),
*(mac_string + 2),
*(mac_string + 3),
*(mac_string + 4),
*(mac_string + 5)
);
// 擷取以太網目的位址
// printf("MAC Target Address is :\n");
mac_string = ethernet_protocol->ether_dhost;
fprintf(fp, "%02x:%02x:%02x:%02x:%02x:%02x",
*mac_string,
*(mac_string + 1),
*(mac_string + 2),
*(mac_string + 3),
*(mac_string + 4),
*(mac_string + 5)
);
fprintf(fp, "%d", sizeof(packet_content));
switch(ethernet_type) {
case 0x0800:
ip_protocol_packet_handle(argument, packet_header, packet_content);
break;
default:
break;
}
}
intmain() {
pcap_if_t *alldevs;
pcap_if_t *d;
pcap_t *adhandle;
char errbuf[PCAP_ERRBUF_SIZE];
int inum;
int i = 0;
u_int netmask;
char packet_filter[] = "ip and tcp";
structbpf_programfcode;
int res;
structpcap_pkthdr*header;
structtm *ltime;
constu_char *pkt_data;
time_t local_tv_sec;
char timestr[16];
ip_header *ih;
// 獲得裝置清單pcap_findalldevs_ex()
if(pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf)== -1) {
fprintf(stderr, "Errorin pcap_findalldevs: %s\n", errbuf);
exit(1);
}
for(d = alldevs; d; d = d->next) {
printf("%d. %s", ++i, d->name);
if(d->description) {
printf("(%s)\n", d->description);
}
else {
printf("No description available\n");
}
}
if(0 == i) {
printf("\nNo interface found!Make sure WinPcap is installed\n");
return -1;
}
printf("Enter the interface number(1-%d):",i);
scanf_s("%d", &inum);
if(inum < 1 || inum > i) {
printf("\nInterface number out of range.\n");
pcap_freealldevs(alldevs);
return -1;
}
for(d = alldevs, i = 0; i < inum-1; d=d->next, i++);
// 跳轉到該裝置,打開擴充卡
// 裝置名,要捕捉的資料包的部分(65536保證能捕獲到不同資料鍊路層上的每個資料包的全部内容),混雜模式,讀取逾時時間,錯誤緩沖池
if((adhandle = pcap_open_live(d->name, 65536, 1, 1000, errbuf)) == NULL) {
fprintf(stderr, "\nUnableto open the adapter.%s is not supported by WinPcap\n", errbuf);
pcap_freealldevs(alldevs);
return -1;
}
// 檢查資料鍊路層(隻考慮了以太網)
if(pcap_datalink(adhandle) != DLT_EN10MB) {
fprintf(stderr, "\nThisprogram works only on Ethernet networks.\n");
pcap_freealldevs(alldevs);
return -1;
}
if(d->addresses != NULL){
//獲得接口的第一個位址的掩碼
netmask = ((structsockaddr_in*)(d->addresses->netmask))->sin_addr.S_un.S_addr;
}
else {
netmask = 0xffffff;
}
fp = freopen("in.txt", "w", stdin);
while((res = pcap_next_ex(adhandle, &header, &pkt_data)) >= 0){
//請求逾時
if(0 == res) {
continue;
}
//分析資料包
ethernet_protocol_packet_handle(NULL, header, pkt_data);
//将時間戳轉換成可識别的格式
local_tv_sec =header->ts.tv_sec;
ltime =localtime(&local_tv_sec);
strftime(timestr, sizeof(timestr), "%H:%M:%S", ltime);
ih = (ip_header *)(pkt_data + 14); //以太網頭部長度
//輸出時間和IP資訊
printf("%s.%.6d len:%d ", timestr, header->ts.tv_usec,header->len);
printf("%d.%d.%d.%d -> %d.%d.%d.%d\n",
ih->saddr.byte1,
ih->saddr.byte2,
ih->saddr.byte3,
ih->saddr.byte4,
ih->daddr.byte1,
ih->daddr.byte2,
ih->daddr.byte3,
ih->daddr.byte4);
}
if(-1 == res) {
printf("Error reading the packet:%s\n",pcap_geterr(adhandle));
return -1;
}
pcap_freealldevs(alldevs);
fclose(fp);
fclose(stdin);
return 0;
}