Analysis of the Source Structure of Libpcap Library
Author: bobdai,
3.1 Introduction to LibPCAP Library
LibPCAP is a packet capture function library for the packet capture mechanism provided by the implementation-independent access operating system for accessing the data link layer. This library provides a consistent programming interface for different platforms. On the platform installed Libpcap, the program, application, application, and free cross-platform use of libpcap. The packet capture mechanism provided by the operating system mainly has three types: BPF (Berkeley Packet Filter, DLPI (Data Link Provider Interface), and the SOCK_PACKET Type Set Under Linux. BSD-based systems use BPF, SVR4-based systems typically use DLPI. Seeing BPF from the literature is much better than DLPi performance, and SOCK_PACKET is weaker. Although SCO OpenServer itself does not have the kernel filter module BPF, there is a STREAMS module BPF that can be pressed into the kernel, which is consistent with the Berkeley BPF. However, in IOCTL operation, the BPF of the SCO does not fully provide all the features of Berkeley BPF.
3.2 LibPCAP function library source code basic architecture
The structure of LibPCAP is simple. However, for beginners, analyzing its structure can make us aware of the basic ideas of a slightly large program. First, in order to provide cross-platform compatibility, there is no Makefile in the source code, but to run a configure script to generate the Makefile, the Congfigure script inspection system feature to determine the current system and some related configurations; on the other hand reading Write a good makefile.in file to make a blueprint to generate a Makefile for the current platform.
There are more than 20 C program files in LibPCAP. We will group it to see how they are closely working.
1. Open, read the device, set the filter section.
This section focuses on all the functions closely related to specific system monitoring methods, which is part of the most underlying directly to the specific device. The designer will be independent, so it is necessary to modify this part in joining the new system. This is a very beautiful idea. I personally realized the experience of this library to the support of SCO OpenServer and deeply felt the benefits of this structural arrangement. This part mainly provides three functions: PCAP_READ (), PCAP_OPEN_LIVE (), PCAP_SETFILTER (). The file form is PCAP - *. C, such as PCAP-BPF.C, PCAP-DLPI.C, PCAP-Linux.c, PCAP-NIT.C, and PCAP-SCO.c I wrote. In the makefile, only one of this file is actually included, and which file is selected to Makefile, it is the function of the Configure script. After I write PCAP-SCI.C, modify the configure script so that the SCO system can detect the SCO system, generate the corresponding makefile, re-make, install, a functional complex powerful function library, which is slightly changed to run smoothly. On your own platform. This thoughts are really wonderful!
2, compile, optimize, debug filter rules expressions.
This part is a wonderful place for Libpcap. It is simply a microclocking version of a computer system, which is to admire the designer's in-depth understanding and flexibility in computer systems.
The filtering mechanism uses a fake machine, see the basic introduction to the BPF filter in front. As mentioned earlier, there are many similarities between the BPF filter program and the actual machine language. A instruction (ie, the structure BPF_INSN) has an operation code (JT, JF), and the like. The designer also provides a series of macro writing code, which is the "assembly language" of BPF encoding. For this reason, the writing of the BPF program also has the weaknesses of all low-level languages: the programming is too complicated. Even the jump statement will let you go to a number of statements to skip how many statements. I have never written the machine code before, but I wrote a bit of BPF code, and I can see it on the difficulty of writing machine code. Let users learn to use these codes to scatter their energy, and users of course need to be more simple and easy to use. Therefore, as the generation of advanced languages, with filtering rules expressions, use this expression intuitive, easy to understand. The program files complete compilation and optimization are: gencode.c, grammar.c, scanner.c, optimize.c, this part compiles the input filter rule expression into BPF code, stores the BPF_PROGRAM structure, and uses PCAP_SETFILTER () Loader. LibPCAP even provides "reverse assembly" function BPF_IMAGE (), defined in BPF_IMAGE.C. PCAP_COMPILE () function After compiling the code in binary form in Struct BPF_PROGRAM, if you need to correct the filter rule expression, you can call BPF_IMAGE () to "disassemble" into the form of "assembly language", below is a paragraph "Anti-assembly" results: (corresponding filter rules expressions are: SRC Host 192.168.0.1 and TCP [13: 1] & 2! = 0)
(000) LDH [12]
(001) JEQ # 0x800 JT 2 JF 12
(002) LD [26]
(003) JEQ # 0xc0a80001 JT 4 JF 12
(004) LDB [23]
(005) JEQ # 0x6 JT 6 JF 12
(006) LDH [20]
(007) jset # 0x1fff JT 12 JF 8
(008) LDXB 4 * ([14] & 0xF)
(009) LDB [x 27]
(010) Jset # 0x2 JT 11 JF 12
(011) RET # 1000
(012) RET # 0
very interesting! If you know the coding rule of the BPF program, you can also modify this code directly to get the results you want.
3, offline mode listening section.
LibPCAP supports offline monitoring. That is, first intercept the data on the network, save it on the disk, and then get an analysis from the disk when it is convenient. The main function is PCAP_OPEN_OFFLINE (), PCAP_OFFLINE_READ (), defined in file Savefile.c.
4. Local network settings detection section.
Including PCAP_LOOKUPDEV (), PCAP_LOOKUPNET (), including PCAP_LOOKUPNET (), included in file inet.c. The main implementation is to open the socket, then call a series of SiO * IOCTL to get a socket state to achieve the purpose of detecting the TCP / IP layer network settings. There is a unified specification in the Socket interface of various systems, so it is compatible with the platform. It is not necessary to write different code for different platforms as different platforms on the data link layer. It also includes a function of the name address mutual conversion section. The program file implemented is: etherent.c, nametoaddr.c.
5, the master program and version part.
The file where the master program is located is PCAP.C. This file defines the external unified interface PCAP_NEXT () of the read data to obtain functions such as PCAP_GETERR () of the current error message. Users call PCAP_NEXT () to get the data of the next package whether you open the device in real time or offline.
Version declaration part is Version.c.