PCAP Learning Tour Network Resources: Hyperlink: PCAP Tutorial My Libpcap Tutorial Captures the Complete Procedure for Capture of a Single Packet: 1. Get the name of the device that needs to be listened to Char * DEV = PCAP_LOOKUPDEV (Char Errbuf [PCAP_ERRBUF_SIZE]); 2. Open the listening Equipment, and return its handle PCAP_T * DESCR = PCAP_OPEN_LIVE (dev, bufsize, 0, -1, errbuf); Parameters: DEV: Required device name buffsize: Specifies the size network interface mode of the capture packet: 0 is a non-mixed mode 1 is mixed mode, only mixed mode can capture most of the data packets in the network to_ms: expiration time 3. Capture a packet from the listener device: u_char * packet = PCAP_NEXT (DESCR, & HDR); Note: Struct PCAP_PKTHDR HDR ; Struct PCAP_PKTHDR {STRUCT TIMEVAL TS; / / Package Capture Time BPF_U_INT32 CAPLEN; // Packet Actual Capture Size BPF_U_INT32 LEN; // The size} of the cable on the cable is here, completing the capture of a single packet. Below is the analysis process of the data package: 1. The captured packet is a u_char * type, but in fact, Packet is not a simple string, in fact it is a structure of a structure (for example, one The TCP / IP data package has an Enthernet header, an IP header, a TCP header, and finally the entity of the packet). U_CHAR is a serialized form of these structures. In order to fully use it, we must do some transformations). 2. Carry out this transformation must have a clear understanding of the data structure of the protocol, and different operating system platforms have different protocol structures.
/ * Ethernet header * / struct sniff_ethernet {u_char ether_dhost [ETHER_ADDR_LEN]; / * Destination host address * / u_char ether_shost [ETHER_ADDR_LEN]; / * Source host address * / u_short ether_type; / * IP ARP RARP etc * /??? }; Please see the IP protocol header / * ip header * / struct sniff_ip {#if Byte_Order == Little_endian u_int ip_hl: 4, / * header length * / ip_v: 4; / * version * / #if byte_order == BIG_ENDIAN U_INT IP_V: 4, / * VERSION * / IP_HL: 4; / * Header length * / #ENDIF #ENDIF / * NOT _IP_VHL * / U_CHAR IP_TOS; / * Service Type * / u_short ip_len; / * Data News Total Length * / U_short ip_id; / * identifier * / u_short ip_off; / * Whether fragmentation * / #define ip_rf 0x8000 / * Reserved Split Sign * / #define ip_df 0x4000 / * No Split Sign * / #Define IP_MF 0x2000 / * More divided slices * / #define ip_offmask 0x1fff / * mask for fragmenting bits * / u_char ip_ttl; / * Survival time * / u_char ip_p; / * protocol * / u_short ip_sum; / * check value * / struct in_addr ip_src, IP_DST; / * source address and destination address * /}; see TCP protocol header / * TCP header * / s truct sniff_tcp {u_short th_sport; / * Source Port * / u_short th_dport; / * destination port * / tcp_seq th_seq; / * sequence number * / tcp_seq th_ack; / * acknowledgment number * / #if BYTE_ORDER == LITTLE_ENDIAN u_int th_x2: 4, / * (Unused) * / th_off: 4; / * data offset * / #ENDIF #IF Byte_Order == BIG_ENDIAN U_INT TH_OFF: 4, / * DATA Offset * / TH_X2: 4; / * (unused) * / #ndif u_char th_flags ; #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 #define TH_PUSH 0x08 #define TH_ACK 0x10 #define TH_URG 0x20 #define TH_ECE 0x40 #define TH_CWR 0x80 #define TH_FLAGS (TH_FIN | TH_SYN | TH_RST | TH_ACK | TH_URG | TH_ECE | TH_CWR U_SHORT TH_WIN; / * Slide window * / u_short t_sum; / * check value * / u_short t_urp;
