Implementation of packet capture program based on Libpcap

Objective

原创文章欢迎转载，请保留出处。若有任何疑问建议，欢迎回复。邮箱:[email protected]

Next, after successfully grasping the bag through tcpdump and Wireshark, try to write a clutch. Here we use the LIBPCAP library development.

Create a configuration Project

Here we use Eclipse for C + + development, installation, only need to go to eclipse official download decompression can be run, it is important to note that eclipse to start with root privileges, or can not grasp the package.

First create a blank C language Project, tool chain Select Linux GCC

Add source files, name MAIN.C, first to configure under, right click on Project, select Properties, Link pcap as shown:

Write a Grab Bag program

Here I do not introduce the Libpcap API, can refer to
http://www.ferrisxu.com/WinPcap/html/group__wpcapfunc.html#g659439bf5aa3988b5a92d31990fbf437

Here I wrote a simple grab bag, get 80 ports of 30 packets:

#include <stdio.h>#include <string.h>#include <pcap.h>voidPacket_handler (U_char *user,Const structPcap_pkthdr *pkt_header,ConstU_char *pkt_data) {pcap_dump (user, Pkt_header, pkt_data);//Output data to file    printf("jacked a packet with length of [%d]\n", Pkt_header->len);//Print the length of the bag caught}intMainintargcChar*argv[]) {pcap_t *handle;//Session handle    CharErrbuf[pcap_errbuf_size];//String that stores error informationBpf_u_int32 Mask;//Mask of the network in which it residesBpf_u_int32 net;//IP address of the host    structBpf_program filter;//Well-compiled filters    CharFilter_app[] ="Port";//BPF filtering rules, and tcpdump using the same filtering rules    /* Probe devices and properties */    Char*dev;//Specify the device that needs to be caught our two devices under Linux eth0 and Lo are NIC and local loopback, respectivelydev = Pcap_lookupdev (errbuf);//Return to the first legitimate device, and here I am eth0Pcap_lookupnet (Dev, &net, &mask, errbuf);//dev = "Lo"; If you need to crawl local packets, such as the filter expression is host localhost, you can specify directly    / * Open Session in Promiscuous mode * /handle = Pcap_open_live (Dev, Bufsiz,1,0, ERRBUF);/ * Compile and apply the filter * /Pcap_compile (handle, &filter, Filter_app,0, net); Pcap_setfilter (handle, &filter);/ * Define output file * /pcap_dumper_t* Out_pcap; Out_pcap = Pcap_dump_open (handle,"/home/max/pack.pcap");/ * Intercept 30 Packs * /Pcap_loop (Handle, -, Packet_handler, (U_char *) out_pcap);/ * Flush buffer * /Pcap_dump_flush (OUT_PCAP);/ * Close resource * /Pcap_close (handle); Pcap_dump_close (OUT_PCAP);return(0);}

Compile run, after running, start the browser casually browse, you can catch the package, and saved in the file.

If a program file is not specified in the launch configuration is present. Problem
Workaround: http://www.th7.cn/Program/cp/201408/269716.shtml

And then use Wireshark to read the file to try to parse

Successful, if you want to change the cost of the bag, only need to set the Dev to Lo and the BPF filter rules set to host localhost.

Implementation of packet capture program based on Libpcap