Some understandings about WinPCAP

xiaoxiao2021-03-06 59

Bill Yuan

2004-9-29

One. Introduction to WinPCAP

WinPCAP is a product of libpcap under Unix to Windows, and he is a project of Free and Open Source. WinPCAP is working in a drive (Driver), so you can operate on a high efficiency.

WinPCAP provides the following powerful features:

1. Capture the original packet

2. Set Filter, only capture your own packets

3. Convenient to output captured packets to files and input from file

4. Send the original packet

5. Statistical network traffic

6. .... (There are still many other, I don't know)

two. WinPCAP installation method

1. Download the Winpcap installation package to http://winpcap.polito.it, programmer development package.

2. Perform the installation package so your machine can run the WinPCAP program.

3. Unzip the development kit, add WinPCAP in the Option and LIB of the VC Option.

INCLUDE and LIB

4. Add #include , and #include . Then add a predefined macro in the project's setting: WPCAP, Have_remote. Import WPCAP.LIB library

5. You can write WPCAP programs.

three. Some basic functions of WinPCAP

A) capture packets

1. Enumerate all available devices [PCAP_FINDALDEVS_EX] (optional)

2. Open a device through the name [PCAP_Open ()]

Here you can open a file, just create the corresponding Name String through PCAP_CREATESRCSTR before opening this file.

3. Set Filter [PCAP_Compile, PCAP_SETFILTER] (optional)

4. Capture data

There are several ways to capture data (capture data data is the most original packet, that is, the data header containing the data link layer)

a. Is the way in callback [PCAP_LOOP, PCAP_DISPATCH ()].

Both methods are basically the same, the underlying collected data packets, when a certain condition (Timeout or buffer is full), the callback function is called, and the collected raw packet S is called to the user. The data buffer they returned contains multiple packages

b. PCAP_NEXT_EX () method

Whenever a package arrives, PCAP_NEXT_EX will return, and only one package is only included in the returned data buffer.

2) Sending package

WinPCAP has a method of sending a single package and transmitting multiple packages. Here is only to send a single package

1. Open a device through the name [PCAP_Open]

2. Team a raw packet (this data package will send out without any processing, so you must set the various fields in the package. In addition, this packet is to include the data link layer header)

3. Send packets with PCAP_SENDPACKET ()

3) Statistical network traffic

1. Open a device through the name [PCAP_Open]

Set the statistics time interval by read_timeout

2. Set Filter [PCAP_Compile, PCAP_SETFILTER] (optional)

3. Set the device for statistical mode [PCAP_SETMODE (MODE_STAT);]

4. Start statistics, PCAP_LOOP / PCAP_DISPATCH ()

5. The statistics are included in the parameters in the callback function, as shown below: IV. Summary

These things are some of my experiences and summary I am learning WinPCAP. Since I learned WinPCap, I just learned in Step by Step Guide, so I can only limit the understanding of WinPCAP, I hope I can have a chance to learn in the future.

/// The following is an example of a network traffic written by WinPCAP,

// NetTraft.cpp: Defines the entry point for the console application.

#include "stdafx.h"

#include

Using namespace std;

/ / -------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

Void dispatcher_handler (u_char * user_data, const struct pcap_pkthdr * pkthdr, const u_char * pktdata);

Int main (int Argc, char * argv [])

{

INT I;

PCAP_IF_T * ALLDEVS;

PCAP_IF_T * DEV;

Char errorbuf [pcap_errbuf_size];

Int kice;

PCAP_T * STATHANDLE;

Wsadata wsadata;

Struct TimeVal TimeStamp;

IF (WsaStartup (MakeWord (2, 2), & WSADATA)! = 0)

{

CERR << "WSASTARTUP FAILED [" << wsagetlasterror () << "]" << ENDL;

Return (-1);

}

// Enum all Device

IF (PCAP_FINDALDEVS_EX (PCAP_SRC_IF_STRING, NULL, & Alldevs, ErrorBuf) == -1)

{

WSACLEANUP ();

CERR << "PCAP_FINDALLDEVS_EX FAILED! (" << ErrorBuf << ")" << endl;

Return (-1);

}

For (i = 0, dev = alldevs; dev! = null; dev = dev-> Next)

{

COUT << i << '/ t' << dev-> name << endl;}

IF (i == 0)

{

WSACLEANUP ();

CERR << "No Device Found!" << endl;

Return (-2);

}

// let User Choice

While (1)

{

COUT << "please choice a device:";

CIN >> CHOICE;

IF (khoice> = 1 && choice <= i)

Break;

CERR << "Input Error, You Shall Choice A Device from Upon List" << ENDL;

}

//move to the choice device

For (i = 0, dev = alldevs; i Next);

IF ((Stathandle = PCAP_Open (dev-> name,

100,

PCAP_OPENFLAG_PROMIMISCUOS,

500,

Null, ErrorBuf) == NULL)

{

CERR << "Open Device Failed! [Device:" << dev-> name << "]"

<< ErrorBuf << ENDL;

PCAP_FREEALLDEVS (AllDevs);

WSACLEANUP ();

Return (-3);

}

COUT << "is stat" << dev-> name << "..." << endl;

PCAP_FREEALLDEVS (AllDevs);

PCAP_SETMODE (Stathandle, Mode_STAT);

TimeStamp.tv_sec = 0;

TimeStamp.tv_usec = 0;

PCAP_LOOP (Stathandle, 0, Dispatcher_Handler, (unsigned char *) & timestamp);

PCAP_CLOSE (STATHANDLE);

Return 0;

}

Void dispatcher_handler (u_char * user_data, const struct pcap_pkthdr * pkthdr, const u_char * pktdata)

{

Static struct timeval tstamp = * (Struct Timeval *) user_data);

Large_integer BPS, PPS;

Unsigned long delay;

CHAR STRTIME [32];

DELAY = (pkthdr-> ts.tv_sec - tstamp.tv_sec) * 1000000 - tstamp.tv_usec pkthdr-> ts.tv_usec;

PPS.quadpart = ((* (longlong *)) * 1000000) / delay; bps.quadpart = (* (longlong *) (pktdata 8)) * 1000000) / delay;

StructTM * LTIME = LOCALTIME (& (pkthdr-> ts.tv_sec));

Strftime (STRTIME, SIZEOF (STRTIME), "% H:% M:% S", LTIME);

Printf ("% s:", startime);

Printf ("/ TPPS =% i64U / TBPS =% i64U / R / N", pps.quadpart, bps.quadpart);

TSTAMP = Pkthdr-> TS;

}

转载请注明原文地址:https://www.9cbs.com/read-111857.html

9cbs

New Post(0)