Preliminary Packet Analysis Program Design Author: MaiganFrom: The 8th Army - Information Security Group (www.cnhacking.com www.juntuan.org) mail: Maigan@maigan.comwarnong: Reprint this article Please indicate the author and the source
I have turned online throughout the day, but I also saw a lot of good articles, but I found that most articles were only staying in theory, or
It is too deep. There are very few introduction to questions detailed analysis. Today, I want to discuss one as the packet analysis program.
I am also a newbie, I'm not there, I hope everyone will not finger. Through the analysis of the packet, we can judge the operating system, network information traffic, and the route through the communication.
The size of the packet, as well as the content of the packet, and more. For those who like network security, master the knowledge of this is the phase.
Be important. In the current network communication, most of the data is not encrypted, we can easily extract accounts from the packet
, The password is concerned about the data. Everyone is in seeing this article, you can read the computer network and C program design.
There are books with protocol analysis. Below I will be divided into TCP / IP protocol structure, program partial function and data structure, case process
Design method of three parts and everyone to learn packet analysis procedures
First, the TCP / IP protocol structure before telling TCP / IP, let us know the Ethernet, because we are in contact with the Ethernet,
And the research packet is also inseparable from the frame of the Ethernet. In Ethernet, data is single in data structures called frames.
Bit is exchanged. The protocols commonly used in Ethernet are CSMA / CD (Carrier Sense Multiple Access With
Collision detection) That is, the carrier monks multi-point access / collision detection, here we pay attention to the format of the frame. often
There are two standards in the format of the Ethernet frame, one is the DIX Ethernet V2 standard, and the other is the 802.3 standard of IEEE.
The most commonly used MAC frame is now V2 format, which is also the format we have to study, as for 802.3 frames. We no longer discuss. ether
The format of the network V2 frame is as follows: (insert 8 bytes) destination address (6 bytes) -> source address (6 bytes) -> type (2 bytes) -> Data (46-1500) -> FCS (4 word
Section) The address of the Ethernet is represented by a 48-bit binary, that is, the MAC address and hardware address we often say. There are 8 in the Mac frame.
The front synchronization code of the byte and the start delimiter of the frame, and then the header information such as the address. The receiving end and the address of the transmitting end are
2-byte type fields, the upper protocol type of the transferred data in the storage frame, the RFC1700 document specifies these, as follows: Ether Types protocols800 ip806 ARP8035 Revese ARP809B Apple Talk8137 / 8138 Novel814c SNMP frame data part length For 46-1500 bytes, when less than 46, an integer fill field is added later.
FCS (FRAME CHECK SEQUENCE) is used in Ethernet common cycling ministries (CRC: Cyclic RedAndancy Check). The IP protocol is a network layer protocol, and the data structure of the network layer is called an IP datagram. IP address and domain name two concepts
We don't say, let's take a look at the structure of the IP datagram: Members' name: Version 1/2 IP version, now IPv4ihl (submission length) 1/2 is most frequently 20, take 5 -15 previous value, most
Great 60-byte Type of Service 1 Numerical Total LENTH 2 IP Datebook of Total LENTH 2 IP Datebook full length Identification 2 identifying IP datagrams 3/8 1 bit 0 indicates a broken block, 2 bit is 0 Indicates that is the last broken block, indicating the reception. Fragment Offset 13/8 Split in the original group TTL 1 Data Life, recommended value 32 seconds protocol 1 upper protocol HeaderChecksum 2 header check code Source Address 4 Send IP address Destination Address 4 Receiver IP address Options and Padding 4 Options and fill bits where the value of the protocol field is very important to our analytics packets, here is listed to you: Value Agreement Meaning 1 ICMP Internet Control Message
Protocol6 TCP TRANFER CONTROL Protocol8 EGP EXTERIOR GATEWAY Protocol9 IGP Interior Gateway Protocol17 UDP User DataGram Protocol Undeser The value of these protocols We can see it, please pay attention. Then we introduce address analysis
Agreement (ARP / RARP): Member Number of Member Number Description Hardware Address 2 Hardware Type, Ethernet is 1Protocol Address 2 upper protocol type, IP 800Byte Length of Each Hardware 1 Query the byte length of the physical address,
Ethernet is 6Byte Length of Each Protocol Address 1 Query the byte length of the upper protocol,
When IPv4 is 4OPCode 2 1 is ARP request, 2 is a response;
RARP Request, 4 is response Hardware Address of sender of this packet 6 Send hardware address Protocol Address of sender of this packet 4 Send IP address Hardware Address of Target Of this Packet 6 Query Object Hardware Address Protocol Address of Target of this Packet 4 Query Object IP Address ARP / RARP protocol is used to query the hardware address corresponding to IP or in turn query the IP address, which will also see when we analyze the data package.
. The ICMP protocol is described below. This protocol we use is useful, this protocol is relatively simple, by type
(1 bytes), code (1 bytes), inspection and (2 bytes), and four bytes of the type-related variable partial and data composition
. There are two important protocols in the transportation layer, namely the concept of ports in TCP / UDP, TCP / UDP, to distinguish
Different programs on a computer. Let's take a look at the head of TCP datagram: Member Number Number Description Source Port 2 Send end slogan destination port 2 Receive end slogan sequence no 4 This newspaper segment is sent
The first byte serial number Ack Number 4 expects the next next one
Newspaper Data Offset 1/2 First Length RESERVED 3/4 Reserved In the future with Contol Bits 3/4 Control Bit Window 2 Sliding Window Size Checksum 2 Check and Urgent Pointer 2 Emergency Pointer Options and Padding 4 Optional, Really The charge TCP is used in a network application that spans the router, such as WWW, email, news, ftp, etc.
UDP is the concept of the port on the IP, and its structure is simple. Only eight bytes are as follows: Source port (2 bytes) -> destination port (2 bytes) -> length (2 bytes) ) -> Test and (2 bytes) Second, program partial function and data structure Description In this section we will introduce some of the partial functions and data structures used in the later program. In the program we use PCAP
Bymer library, you can download from ftp://ftp.ee.lbl.gov/libpcap.tar.z. ?...................................................
Introduce the installation method of the library, please solve it yourself in other environments. My purpose is to write packet analysis for everyone.
The order provides ideas, as for the implementation of utilities, the process given by the third part is not practical, in order to play
Show more than the functionality implemented in the program, and some are not detailed. Please pay properly when writing a utility and add you.
The required function is implemented. The installation method of the PCAP library is as follows: 1, unzip file 2, enter the file directory execution ./configure and make3, use the make command, set the manual and the include file (if there is root permissions), do the following command: make install-maname install -incl4, if there is no include and include / net directory, create this directory and re-execute Make
Install -incl5, check the / usr / include / netinet / directory exists that there is a protocols.h file, and there is no copy to the past.
The library is complete. The partial function and data structure that appears in the program below: 1. PCAP_T * PD; this type of data structure is called a packet capture descriptor. 2, PCAP_OPEN_LIVE (Argv [1], DEFAUT_SNALEN, 1, 1000, EBUF) This function initializes the PCAP library and returns a pointer to PCAP_T data, and its parameter list is as follows
: Char * Specify the maximum byte number INT of the network interface INT to specify the network interface card, generally read the pause time char * error message buffer 3, PCAP_LOOP (PD, PD, -1, PACKET_PROCE, NULL) This function program The core, execution, use PCAP to obtain a packet, return to the number of read data packets
When the error is returned to -1, the list of parameters is as follows: PCAP_T * Specifies the number of packet capture descriptor INT to obtain the packet, -1 is a function u_char * point for the packet processing for the unlimited return pointing function. Assigning the pointer 4 of the packet processing function string, Struct ether_header * eth This structure stores the Ethernet header information, the member is as follows: Ether_DHOST [6] Receive the MAC address Ether_SHOST [6] Send the MAC address Ether_TYPE Ether_type Upper Protocol Type 5, fflush (stdout) This function is completed by forced output, parameter stdout, forced standard output. 6, Noths ((Struct Ether_Header * P) -> Ether_TYPE)) This function converts the short network byte sequence into host byte sequence. Such functions include: NTOHL long integer functions The host byte sequence into network byte sequential sequence htons long integer, the Struct IP * iPhiP structure is defined in iPH files, its members and The IP datagram structure talked in the first part corresponds, as follows
: Member Name Type Description IP_HL 4-bit unsigned integer header length IP_V is the same version, now 4IP_tos 8-bit unsigned integer TYPE OF Serviceip_LEN 16-bit unsigned integer data report length IP_ID is the same as IP_off with the same data block offset and flag IP_TTL 8 bit No symbolic integer TTL value IP_P is the upper upper protocol IP_SUM 16-bit unsigned integer check and IP_SRC IN_ADDR Structure send end IPIP_DST, the same-on receiver IP8, STRUCT Ether_ARP * ARPHETHER_ARP structure member is as follows: Member name Type Description EA_HDR ARPHDR Structural Structures Part of the address other than the address of the ARP_SHA 8-bit non-symbolic integer array sending end MAC address ARP_SPA is the same as the upper target MAC address ARP_TPA, the target IP address 9, the Struct ICMPHDR * ICMPICMPHDR type structure contains the common body according to the data report type And the performance of different properties, this is no longer listed, only three members of the three members of the TYPE Type field Code code checksum test and
Third, the case process analysis
Quote // example.c // How to use: Example
GethostByaddr ((char *) & ipad, sizeof (ipad), AF_INET; if (ShostName! = null) STRCPY (SQ-> Table [i] .hostname, Shostname-> h_name); ElseSTRCPY (SQ-> Table [i] .hostname, "" "); sq-> rest = (SQ-> REAR 1)% maxSize;}} void print_hostname (u_char * ipadd) {UNSIGNED Long int ipad; char hostn [maxStrintsize]; ipad = * ((unsigned) Long int *) ipadd; iptohost (ipad, hostn) IF (Strlen> 0) Printf ("% s", hostn); elseprint_ipadd (ipadd);} // Handling VoID packet_proce (u_char *) Packets, Const struct pcap_pkthdr * header, const u_char
* pp) {struct ether_header * Eth; // Ethernet frame header pointer struct Ether_arp * Arth; // ARP header struct ip * iPh; // ip header struct tcphdr * tcph; struct udphdr * udph; u_short srcport, dstport; / / Port number char protocol [MAXSTRINGSIZE]; // Protocol Type CHAR SRCP [MaxStringsize], DSTP [MaxStringsize]; // Port Name UNSIGNED INT PTYPE; / / Protocol Type Variable U_CHAR * DATA; // Packet Data Pointer u_char TCPudpdata [MaxStringsize]; // Packet data INT i; Eth = (struct ether_Header *) PP; ptype = ntoHs ((struct ether_header *) PP) -> Ether_TYPE); if ((ptype == ethertype_arp) || (Ptype == ETHERTYPE_RARP) {ARPH = (Struct Ether_arp *) (PP SIZEOF (Struct Ether_Header); if (ptype == ethertype_arp) Printf ("arp"); ElsePrintf ("RARP"); // Output Protocol Type Print_hwadd ((U_CHAR *) & (ARPH-> ARP_SHA)); Printf ("); Print_HostName ((U_CHAR *) & (ARPH-> ARP_SPA)); Printf (") -> "); Print_hwadd ((u_char * ) & (arph-> arp_tha); printf ("); print_hostname ((u_char *) & (arph-> arp_tpa)); Printf (") Tpacketlen:% D ", header-> len);} else IF (ptype == ethertype_ip) // ip Data report {iPh = (struct ip *) (PP SIZEOF (Struct Ether_Header); if (iPh-> ip_p == 1) // ICMP packet {STRCPY (Protocol, "ICMP"); SRCP Ort = dstport = 0;} else if (iPH-> IP_P == 6) // TCP packet {structure (protocol, "tcp"); tcph = (struct tcphdr *) (PP SITHER_HEADER) 4 * iPh-> ip_hl); srcport = ntoHS (TCPH-> Source); Dstport = NTOHS (TCPH-> DEST); DATA = (U_CHAR *) (PP SIZEOF (Struct Ether_Header) 4 * iPh-
> ip_hl 4 * TCPH-> DOFF); for (i = 0; i
4 * iPh-> ip_hl-4 * tcph-> doff); Break; elsetcpudpdata [i] = data [i];}} // TCP data processing ELSE IF (iPh-> ip_p = 17) // UDP packet {STRCPY (Protocol, "UDP"); udph = (Struct UDphDR *) (PP SIZEOF (Struct Ether_Header) 4 * iPh-> ip_hl); srcport = NTOHS (UDPH-> Source); Dstport = NTOHS (UDPH- > dest); DATA = (u_char *) (PP SIZEOF (Struct Ether_Header 4 * iPh-
> ip_hl 8); for (i = 0; I
4 * iPh-> ip_hl-8); Break; elsetcpudpdata [i] = data [i];}} tcpudpdata [i] = '/ 0'; getPortName (srcport, srcp, protocol); GetportName (Dstport, DSTP, Protocol ); Printf ("IP"); Print_HWADD (Eth-> Ether_shost); Printf ("("); Print_HostName ((U_CHAR *) & (iPh-> IP_SRC)); Printf (") [% s:% s] -> ", Protocol, SRCP); Print_HWADD (Eth-> Ether_DHOST); Printf ("); Print_HostName ((U_CHAR *) & (iPh-> IP_DST)); Printf (") [% s:% s] ", Protocol, DSTP); Printf (" TTTL:% D Packetlen:% D, IPH-> TTL, Header-> LEN); Printf ("N"); Printf ("% s", tcpudpdata); Printf (" == endpacket == ");} Printf (" n ");} // main function takes packet and initializes the program environment int Main (int Argc, char ** argv) {char EBUF [PCAP_ERRBUF_SIZE]; PCAP * PD; IF (argc <= 1) // Parameter Check {Printf ("Usage:% S
