/ *
Network data package detection basic principle: * / # include
#define status_failed 0xfffFFFF // Define Unusual Error Code #define Max_Pack_LEN 65535 // Received maximum IP packet #define max_addr_len 16 // points Detail address The maximum length #define max_proto_text_len 16 // Sub protocol Name (such as "TCP") Maximum length #define max_proto_num 12 // Sub-protocol quantity #define max_hostname_lan 255 // Maximum host name length #define cmd_param_help True
Handle Hfile = NULL; Handle HPARSE = NULL;
Typedef struct _iphdr {unsigned char h_lenver; // 4 top length 4-bit IP version number UNSigned char TOS; // 8 bit service type TOS unsigned short total_len; // 16-bit total length (byte) unsigned short ide; / / 16-bit identifier unsigned short frame_and_flags; // 3-bit flag bit unsigned char TTL; // 8-bit survival time TTL unsigned char proto; // 8-bit protocol (TCP, UDP or other) Unsigned Short Checksum; // 16 ip IP The header verification and unsigned int sourceip; // 32 bitsource IP address unsigned int desip; // 32 bit ip address} ip_header;
TYPEDEF STRUCT _TCPHDR / / Define TCP header {ushort th_sport; // 16-bit source port Ushort TH_DPORT; / / 16-bit destination port unsigned int th_seq; // 32-bit serial number UNSIGNED INT TH_ACK; / / 32 bit confirmation number UNSIGNED CHAR TH_LENRES (// 4 top length / 6 position reserved word unsigned char th_flag; // 6 bit flag bit Ushort TH_WIN; // 16-bit window size ushort th_sum; // 16 bit checks and ushort th_urp; // 16 position emergency data Offset} TCP_HEADER;
TYPEF STRUCT _UDPHDR / / Define UDP header {UNSIGNED SHORT UH_SPORT; / / 16-bit source port unsigned short uh_dport; // 16-bit destination port unsigned short uh_len; // 16 length UNSIGNED SHORT UH_SUM; // 16 bit checksum} UDP_HEADER;
Typedef struct _ICMphdr // Defines the ICMP header {byte i_type; // 8-bit type BYTE I_CODE; / / 8-bit code ushort i_cksum; // 16-bit check and ushort i_id; // identification number (generally used process number as identification number ) Ushort i_seq; // packet serial number Ulong timestamp; // time stamp} ICMP_HEADER;
typedef struct _protomap // define sub-protocol mapping table {int ProtoNum; char ProtoText [MAX_PROTO_TEXT_LEN];} PROTOMAP; PROTOMAP ProtoMap [MAX_PROTO_NUM] = {// sub-protocol mapping table assignment {IPPROTO_IP, "IP"}, {IPPROTO_ICMP, " ICMP "}, {ipproto_igmp," igmp "}, {ipproto_ggp," ggp "}}} {ibproto_pup," pup "}} {ibproto_udp," udp "}} {ipproto_idp," idp " }, {Ipproto_nd, "np"}, {ipproto_raw, "raw"}, {ipproto_max, "max"}, {null, "}};
Socket SockRaw; char TCPFLAG [6] = {'f', 's', 'r', 'p', 'a', 'u'}; // Define TCP flag BOOL paramtcp = false; // -t Pay attention to TCP packet BOOL paramudp = false; // - pay attention to UDP packet BOOL Paramicmp = false; // -i Follow ICMP Packet Bool Paramdecode = false; // -d to decode Char * strfromipfilter = null; / / source IP address filtering char * strDestIpFilter = NULL; // destination address filtering char * strSensitive = NULL; // sensitive string int iPortFilter = 0; // port filtering int iProtocol, iTTL; char szProtocol [MAX_PROTO_TEXT_LEN]; char szSourceIP [ MAX_ADDR_LEN], SZDestip [MAX_ADDR_LEN];
INT decodeippack (char *, int); // ip unpacking function int decodetcppck (char *, int); // TCP unpacking function int decodeudppack (char *, int); // UDP unpacking function int decodeicmppack (char * , int); // ICMP unpacking function void checksockerror (int, char *); // error handler CHAR * CheckProtocol (int); // Protocol check void usage (void); // Use Bool getCmdline (int, Char **); // Command line parameter processing
void main (int argc, char ** argv) {hFile = :: CreateFile ( "NetReport.txt", FILE_ALL_ACCESS, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); hParse = :: CreateFile ( "NR.txt", FILE_ALL_ACCESS , FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); int iErrorCode; char recvBuf [MAX_PACK_LEN] = {0}; usage (); if (getCmdLine (argc, argv) == CMD_PARAM_HELP) exit (0); // initialize SOCKET WSADATA wsaData; iErrorCode = WSAStartup (MAKEWORD (2,1), & wsaData); CheckSockError (iErrorCode, "WSAStartup"); SockRaw = socket (AF_INET, SOCK_RAW, IPPROTO_IP); CheckSockError (SockRaw, "socket"); // Get the present IP address char FAR name [MAX_HOSTNAME_LAN]; iErrorCode = gethostname (name, MAX_HOSTNAME_LAN); CheckSockError (iErrorCode, "gethostname"); struct hostent FAR * pHostent; pHostent = (struct hostent *) malloc (sizeof (struct hostent)); Phostent = gethostByname (name); SockAddr_in sa; sa.sin_family = AF_INET; sa.sin_port = HTONS (6000); Memcpy (& sa.sin_addr.s_un.s_addr, phostent-> h_addr_list [0], phostent-> h_length Free (phostent); IrrorCode = Bind (SockRaw, (PsockAddr) & sa, sizeof (sa)); checksockerror (iERRORCODE, "Bind"); // Sets Sock_RAW to SiO_RCVALL to receive all IP packets DWORD DWBufferlen [10 ]; DWORD dwBufferInLen = 1; DWORD dwBytesReturned = 0; iErrorCode = WSAIoctl (SockRaw, SIO_RCVALL, & dwBufferInLen, sizeof (dwBufferInLen), & dwBufferLen, sizeof (dwBufferLen), & dwBytesReturned, NULL, NULL); CheckSockError (iErrorCode, "Ioctl"); // Saire IP Packet While (1) {MEMSET (Recvbuf, 0, SizeOf (Recvbuf)); IrrorCode = Recv (SockRaw, Recvbuf, Sizeof (Recvbuf), 0);
CheckSockError (iErrorCode, "recv"); iErrorCode = DecodeIpPack (RecvBuf, iErrorCode); CheckSockError (iErrorCode, "Decode");} :: CloseHandle (hFile); :: (hParse) CloseHandle;} // IP unpack program int DecodeIpPack (char * buf, int iBufSize) {IP_HEADER * pIpheader; SOCKADDR_IN saSource, saDest; pIpheader = (IP_HEADER *) buf; // screening protocol iProtocol = pIpheader-> proto; strncpy (szProtocol, CheckProtocol (iProtocol), MAX_PROTO_TEXT_LEN); IF (iProtocol == ipproto_tcp) Return True; if ((iProtocol == Ipproto_UDP) && (! paramudp)) Return True; if ((iProtocol == ipproto_ICMP) && (! paramicMP) Return True ; // address source saSource.sin_addr.s_addr = pIpheader-> sourceIP; strncpy (szSourceIP, inet_ntoa (saSource.sin_addr), MAX_ADDR_LEN); if (strFromIpFilter) if (strcmp (strFromIpFilter, szSourceIP)) return true; // destination address saDest.sin_addr.s_addr = pIpheader-> destIP; strncpy (szDestIP, inet_ntoa (saDest.sin_addr), MAX_ADDR_LEN); if (strDestIpFilter) if (strcmp (strDestIpFilter, szDestIP)) return true; iTTL = pIpheader-> ttl; // Calculate the length IIPHL of IP head en = sizeof (unsigned long) * (pIpheader-> h_lenver & 0xf); // call to each protocol type corresponding function switch (iProtocol) {case IPPROTO_TCP: DecodeTcpPack (buf iIphLen, iBufSize); break; case IPPROTO_UDP: DecodeUdpPack (BUF iiphlen, ibufsize); Break; Case ipproto_icmp: decodeicmppack (buf iiphlen, ibufsize); Break; default: Break;} // printf ("/ n"); Return true;} // protocol identification program char * CheckProtocol (int iprotocol) {for (int i = 0; i
