Packet capture program based on libpcap

Packet capture program based on libpcap
Preface

You are welcome to repost original articles. Please retain the source. If you have any questions or suggestions, please feel free to reply. Email: Maxwell_nc@163.com

Next, after successfully capturing packets through tcpdump and wireshark, try writing a packet capture device. Here we use the libpcap library for development.

Create a configuration project

Here we use Eclipse for C/C ++ for development. for installation, you only need to download and decompress the tool from the eclipse official website. Note that, eclipse must be started with the root permission or cannot capture packets.

First, create a blank C Language Project.

Add the source file named main. c. First, configure it, right-click the project, select properties, and link to pcap, as shown in:

Write a packet capture program

Here I will not introduce libpcap APIs one by one. For details, refer
Http://www.ferrisxu.com/WinPcap/html/group__wpcapfunc.html#g659439bf5aa3988b5a92d31990fbf437

Here I wrote a simple packet capture device to get 30 packets on port 80:

# Include
  
   
# Include
   
    
# Include
    
     
Void packet_handler (u_char * user, const struct pcap_pkthdr * pkt_header, const u_char * pkt_data) {pcap_dump (user, pkt_header, pkt_data ); // output data to the file printf ("Jacked a packet with length of [% d] \ n", pkt_header-> len ); // print the captured package length} int main (int argc, char * argv []) {pcap_t * handle; // session handle char errbuf [PCAP_ERRBUF_SIZE]; // The string bpf_u_int32 mask that stores the error message; // The mask of the network bpf_u_int32 net; // the IP address of the host, struct bpf_program filter; // The compiled filter char filter_app [] = "port 80"; // The BPF Filtering Rule, and tcpdump use the same Filtering Rule/* probe devices and properties */char * dev; // specify the device to be captured. in linux, eth0 and lo are NICs and local loopback dev = pcap_lookupdev (errbuf). // the first valid device is returned, here is eth0 pcap_lookupnet (dev, & net, & mask, errbuf); // dev = "lo"; // If You Need To capture local data packets, for example, when the filter expression is host localhost, you can directly specify/* to open the session in hybrid mode */handle = pcap_open_live (dev, BUFSIZ, 1, 0, errbuf ); /* compile and apply the filter */pcap_compile (handle, & filter, filter_app, 0, net); pcap_setfilter (handle, & filter ); /* define the output file */pcap_dumper_t * out_pcap; out_pcap = pcap_dump_open (handle, "/home/max/pack. pcap ");/* 30 packets intercepted */pcap_loop (handle, 30, packet_handler, (u_char *) out_pcap);/* refresh the buffer */pcap_dump_flush (out_pcap ); /* close Resources */pcap_close (handle); pcap_dump_close (out_pcap); return (0 );}
    
   
  

Compile and run the package. After running the package, start the browser to browse the package and save it in the file.

If A program file was not specified in the launch configuration occurs
Solution: http://www.th7.cn/Program/cp/201408/269716.shtml

Then read the file with wireshark and try to parse it.


If you want to change to a local package catcher, you only need to set dev to lo and then set the bpf filter rule to host localhost.