Preliminary Exploration of Data Packet Analysis Program Design

I have seen many good articles on the Internet all day, but I found that most articles are either theoretical or too advanced. Detailed analysis of problems is rarely introduced. Today, I want to discuss Network Programming Problems with the topic of the data packet analysis program. I am also a newbie. If I have any problems, I hope you will not give me any corrections.
Through the analysis of data packets, we can determine the system, network information traffic, route, packet size, and packet content of both parties. For those who like network security, it is very important to master this knowledge. In today's network communication, most of the data is not encrypted. We can easily extract the data we care about, such as accounts and passwords from data packets. if you have any difficulty reading this article, you can first read the books on computer networks, C programming, and protocol analysis. Next, I will divide the TCP/IP protocol structure, program functions and data structure description, and Case program analysis into three parts to learn the design method of the data packet analysis program.

I. TCP/IP protocol structure
Before talking about TCP/IP, let's first get to know Ethernet, because Ethernet is the most commonly used, and the research of data packets is inseparable from Ethernet frames. In Ethernet, data is exchanged in units of the data structure called frames. The commonly used protocols in Ethernet are CSMA/CD (Carrier Sense Multiple Access with Collision Detection), that is, carrier monitoring Multi-Point Access/collision detection. Here, we focus on the frame format. There are two common Ethernet frame formats: dix Ethernet V2 and IEEE 802.3. Currently, the most common MAC frame format is V2, which is also the format we want to study. We will not discuss the 802.3 frames. The format of an Ethernet V2 frame is as follows:
(Insert 8 bytes) Destination Address (6 bytes)-> source address (6 bytes)-> type (2 bytes)-> data (46-1500)-> FCS (4 bytes)
The ethernet address is represented by a 48-bit binary, that is, the MAC address and hardware address. There are 8 bytes of the front synchronization code and the start Separator of the frame before the MAC frame, followed by header information such as the address. The receiving end and the sending end address are two-byte type fields that store the upper-layer protocol type of the transmitted data in the frame. rfc1700 specifies these fields as follows:
Ether types (hexadecimal) Protocols
800 IP
806 ARP
8035 revese ARP
809b Apple Talk
8137/8138 novel
814c SNMP
The data part of the frame is-bytes in length. When the frame is smaller than 46, an integer byte Filling Field is added to the end. Frame check sequence checks (CRC: cyclic redandancy check) are commonly used in Ethernet Cyclic Redundancy checks ).
The IP protocol is a network layer protocol. The data structure at the network layer is called an IP datagram. We will not talk about the concepts of IP addresses and domain names. Let's take a look at the structure of IP datagram:
Description of the number of member names in bytes
Version 1/2 IP version, which is IPv4
IHL (submission length) 1/2 is the most commonly used 20, take the value before 5-15, the maximum is 60 bytes
Type of Service 1 priority and number of * service requirements
Total lenth 2 IP datagram Length
Identification 2 identifies IP datagram numbers
Flags 3/8 1-Bit 0 indicates a broken block, 2-Bit 0 indicates the last broken block, and 1 indicates receiving.
Fragment Offset 13/8 position of the part in the original group
TTL 1 datagram lifetime, recommended value: 32 seconds
Protocol 1 upper layer protocol
Headerchecksum 2 header Verification Code
Source Address 4 sending IP Address
Destination Address 4 acceptor IP Address
Options and padding 4 options and fill bit
Among them, the value of the Protocol field is very important for us to analyze the data packet, which is listed below for you:
Value protocol meaning
1 ICMP Internet Control Message Protocol
6 TCP tranfer Control Protocol
8 EGP exterior Gateway Protocol
9 IGP interior gateway protocol
17 UDP user datasync Protocol
We can see the values of the following protocols in subsequent programs. Please note them carefully. Next we will introduce the Address Resolution Protocol (arp/RARP ):
Description of the number of member names in bytes
Hardware address 2 hardware type, Ethernet is 1
Protocol address 2 upper-layer protocol type, IP 800
Byte Length of each hardware 1 query the length of the physical address in bytes. The Ethernet is 6
Byte Length of each Protocol address 1 query the byte length of the Upper-layer protocol, 4 for IPv4
Opcode 2 1 indicates the ARP request, 2 indicates the response, 3 indicates the RARP request, and 4 indicates the response.
Hardware address of sender of this packet 6 hardware address of the sender
Protocol address of sender of this packet 4 sender IP Address
Hardware address of target of this packet 6 query object hardware address
Protocol address of target of this packet 4 query object IP Address
Arp/RARP is used to query the hardware address corresponding to the IP address or to query the IP address in turn. This can also be seen when we analyze data packets. The following describes the ICMP protocol. The commonly used ping command uses this protocol. This protocol is relatively simple, including type (1 byte), Code (1 byte), validation (2 byte) there are also four bytes of variable parts related to the type and data structure.
There are two important protocols for data packets in the transport layer: TCP, UDP, and TCP/UDP. Let's take a look at the composition of the TCP datagram header:
Description of the number of member names in bytes
Source Port 2 sending terminal slogan
Destination Port 2 receiving end port number
Sequence No 4 sequence number of the first byte sent in this section
Ack number 4 the serial number of the next packet segment to be received
Data offset 1/2 Header Length
Reserved 3/4 reserved for future use
Contol bits 3/4 control bit
Window 2 Sliding Window Size
Checksum 2 Test
Urgent Pointer 2 Emergency pointer
Options and padding 4 (optional)
TCP is used in network applications that provide network services across routers, such as WWW, email, news, and FTP. UDP adds the port concept on the basis of the IP address. Its structure is very simple. There are only eight bytes of header as follows:
Source Port (2 bytes)-> destination port (2 bytes)-> length (2 bytes)-> test (2 bytes)

Ii. Description of some functions and data structures of the program
In this section, we will introduce some functions and data structures used in later programs. In the program, we use the pcap library.
Ftp://ftp.ee.lbl.gov/libpcap.tar.zdownload. We mainly test the program in RedHat Linux. Here we will briefly introduce the installation method of the library. Please solve the problem in other environments on your own. My goal is to provide ideas for writing a data packet analysis program. As for the implementation of the utility program, I will not introduce it here, and the program provided in the third part is not practical. To demonstrate it, many functions are implemented in the program, and some are not detailed enough. When writing a utility program, please select and add the required function implementation part. The pcap library installation method is as follows:
1. decompress the file
2. Go to the file directory and execute./configure and make
3. Use the make command to set the manual and include files (with root permission) and execute the following command:
Make install-man
Make install-incl
4. If the include and include/NET directories do not exist, create the Directory and re-Execute make install-incl.
5. Check whether the/usr/include/netinet/directory contains protocols. h file. If the directory does not exist, copy the file. The library has been installed.
The following describes some functions and data structures in the program:
1. pcap_t * PD;
This type of data structure is called a packet capture descriptor.
2. pcap_open_live (argv [1], defaut_snalen, 1,1000, ebuf)
This function initializes the pcap library and returns a pointer to pcap_t data. The parameter list is as follows:
Char * specifies the network interface
Maximum number of bytes of data obtained by int
Int specifies the network interface card. Generally, 1 is used.
Int read pause time
Char * error message buffer
3. pcap_loop (PD,-1, packet_proce, null)
The core of this function program is to execute it repeatedly. The pcap is used to get data packets, and the number of data packets is returned. If an error occurs,-1 is returned. The parameter list is as follows:
Pcap_t * specifies the packet capture descriptor for obtaining data packets.
Int obtains the number of data packets.-1 is infinite.
Returns the data packet processing function specified by the pointer to the function.
U_char * pointer to the string assigned to the data packet processing function
4. struct ether_header * ETH
This struct stores Ethernet header information, and its members are as follows:
Ether_dhost [6] MAC address of the receiving end
Ether_shost [6] MAC address of the sender
Ether_type upper-layer protocol type
5. fflush (stdout)
This function implements mandatory output, the stdout parameter, and the standard output.
6. noths (struct ether_header * P)-> ether_type ))
This function converts the network byte sequence of a short integer to the host byte sequence. Such functions include:
Ntohl long integer functions are the same as above
Htons short integer converts host bytes to network bytes.
Htons long integer is the same as above
7. struct IP * IPH
IP struct is defined in the IPH file. Its members correspond to the IP datagram structure described in the first part, as follows:
Member name type description
Ip_hl 4-bit unsigned integer Header Length
Ip_v is in the same version as above, and is now 4
Ip_tos 8-bit unsigned integer type of service
Ip_len 16-bit unsigned integer datagram Length
Ip_id same as above
Ip_off is the same as the data block offset and flag.
Ip_ttl 8-bit unsigned integer TTL value
Ip_p is the same as the upper layer protocol.
Ip_sum 16-bit unsigned integer Test
IP address of the sender of the ip_src in_addr struct
Ip_dst: Same as the IP address of the receiving end
8. struct ether_arp * arph
The ether_arp struct members are as follows:
Member name type description
Parts other than addresses in the ea_hdr arphdr struct Header
Arp_sha 8-bit unsigned integer array Sender MAC address
Arp_spa is the same as the sender IP address.
Arp_tha is the same as the target MAC address.
Arp_tpa is the same as the target IP address.
9. struct icmphdr * ICMP
The icmphdr struct contains a shared body that represents different properties based on different datagram types. It is not listed here. Only three columns that can be used universally
Member Name Description
Type field
Code
Checksum test and

Iii. Case Procedure Analysis
// Example. c
// Usage: Example <Network Interface Name> <output file name> 〉
// Example: Example etho> temp. txe
// End method: Ctrl + c
// Start the program and read the header file
# I nclude
# I nclude
# I nclude
# I nclude
# I nclude
# I nclude
# I nclude
# I nclude // pcap Library
# I nclude // used for DNS Retrieval
# Define maxstringsize 256 // String Length
# Define maxsize 1024 // maximum number of records in the host Cache
# Fefine default_snaplen 68/Data Packet Length
Typedef struct
{
Unsigned long int ipaddr; // ip address
Char hostname [maxstringsize]; // host name
} Dnstable; // cache Data Structure
Typedef struct
{
Dnstable table [maxsize];
Int front;
Int rear;
} Sequeue;
Sequeue * sq; // defines the cache queue
SQ-> rear = SQ-> front = 0; // initialize the queue
// Output MAC address Function
Void print_hwadd (u_char * hwadd)
{
For (INT I = 0, is_name );
}
Else
Sprintf (portna, "% d", portno );
}
// Convert the IP address to the DNS name
Void iptohost (unsigned long int iPad, char * hostn)
{
Struct hostent * shostname;
Int m, n, I;
M = SQ-> rear;
N = SQ-> front;
For (I = n % maxsize; I = m % maxsize; I = (++ N) % maxsize)
{
// Check whether the IP address appears for the first time
If (SQ-> table. ipaddr = iPad)
{
Strcpy (hostn, SQ-> table. hostname );
Break;
}
}
If (I = m % maxsize)
{// If the domain name does not exist, query it from the Domain Name Server and put the result into the cache.
If (SQ-> rear + 1) % maxsize = SQ-> front) // The team is full
SQ-> front = (SQ-> front + 1) % maxsize; // output queue
SQ-> table. ipaddr = iPad;
Shostname = gethostbyaddr (char *) & iPad, sizeof (IPAD), af_inet );
If (shostname! = NULL)
Strcpy (SQ-> table. hostname, shostname-> h_name );
Else
Strcpy (SQ-> table. hostname ,"");
SQ-> rear = (SQ-> rear + 1) % maxsize;
}
}
Void print_hostname (u_char * ipadd)
{
Unsigned long int iPad;
Char hostn [maxstrintsize];
IPad = * (unsigned long int *) ipadd );
Iptohost (IPAD, hostn)
If (strlen (hostn)> 0)
Printf ("% s", hostn );
Else
Print_ipadd (ipadd );
}
// Function for processing data packets
Void packet_proce (u_char * packets, const struct pcap_pkthdr * Header, const u_char * pp)
{
Struct ether_header * ETH; // Ethernet frame header pointer
Struct ether_arp * arth; // ARP Header
Struct IP * IPH; // IP Header
Struct tcphdr * tcph;
Struct udphdr * udph;
U_short srcport, dstport; // port number
Char Protocol [maxstringsize]; // protocol type name
Char SRCP [maxstringsize], dstp [maxstringsize]; // port name
Unsigned int ptype; // protocol type variable
U_char * data; // Data Pointer of data packets
U_char tcpudpdata [maxstringsize]; // data packet
Int I;
Eth = (struct ether_header *) pp;
Ptype = ntohs (struct ether_header *) pp)-> ether_type );
If (ptype = ethertype_arp) | (ptype = ethertype_rarp ))
{
Arph = (struct ether_arp *) (PP + sizeof (struct ether_header ));
If (ptype = ethertype_arp)
Printf ("ARP ");
Else
Printf ("RARP"); // output protocol type
Print_hwadd (u_char *) & (arph-> arp_sha ));
Printf ("(");
Print_hostname (u_char *) & (arph-> arp_spa ));
Printf (")-> ");
Print_hwadd (u_char *) & (arph-> arp_tha ));
Printf ("(");
Print_hostname (u_char *) & (arph-> arp_tpa ));
Printf (")/tpacketlen: % d", header-> Len );
}
Else if (ptype = ethertype_ip) // IP Datagram
{
IPH = (struct IP *) (PP + sizeof (struct ether_header ));
If (IPH-> ip_p = 1) // ICMP Packet
{
Strcpy (protocol, "ICMP ");
Srcport = dstport = 0;
}
Else if (IPH-> ip_p = 6) // TCP packet
{
Strcpy (protocol, "TCP ");
Tcph = (struct tcphdr *) (PP + sizeof (struct ether_header) + 4 * IPH-> ip_hl );
Srcport = ntohs (tcph-> source );
Dstport = ntohs (tcph-> DEST );
Data = (u_char *) (PP + sizeof (struct ether_header) + 4 * IPH-> ip_hl + 4 * tcph-> doff );
For (I = 0; I = header-> len-sizeof (struct ether_header)-4 * IPH-> ip_hl-4 * tcph-> doff );
Break;
Else
Tcpudpdata = data;
}
} // TCP data processing is complete
Else if (IPH-> ip_p = 17) // UDP Packet
{
Strcpy (protocol, "UDP ");
Udph = (struct udphdr *) (PP + sizeof (struct ether_header) + 4 * IPH-> ip_hl );
Srcport = ntohs (udph-> source );
Dstport = ntohs (udph-> DEST );
Data = (u_char *) (PP + sizeof (struct ether_header) + 4 * IPH-> ip_hl + 8 );
For (I = 0; I = header-> len-sizeof (struct ether_header)-4 * IPH-> ip_hl-8 );
Break;
Else
Tcpudpdata = data;
}
}
Tcpudpdata = '/0 ';
Getportname (srcport, SRCP, Protocol );
Getportname (dstport, dstp, Protocol );
Printf ("ip ");
Print_hwadd (ETH-> ether_shost );
Printf ("(");
Print_hostname (u_char *) & (IPH-> ip_src ));
Printf (") [% s: % s]->", protocol, SRCP );
Print_hwadd (ETH-> ether_dhost );
Printf ("(");
Print_hostname (u_char *) & (IPH-> ip_dst ));
Printf (") [% s: % s]", protocol, dstp );
Printf ("/tttl: % d packetlen: % d, IPH-> TTL, header-> Len );
Printf ("/N ");
Printf ("% s", tcpudpdata );
Printf ("= endpacket = ");
}
Printf ("/N ");
}
// The main function retrieves data packets and initializes the program environment.
Int main (INT argc, char ** argv)
{
Char ebuf [pcap_errbuf_size];
Pcap * PD;
If (argc/N ", argv [0]);
Exit (0 );
}
// Set the pcap Library
If (Pd = pcap_open_live (argv [1], default_snaplen, 1,1000, ebuf) = NULL)
{
(Void) fprintf (stderr, "% s", ebuf );
Exit (1 );
}
// Cyclically fetch data packets
// Change Parameter-1 to another value. You can determine the number of data packets. Here, there are no limit.
If (pcap_loop (PD,-1, packet_proce, null) <0)
{
(Void) fprintf (stderr, "pcap_loop: % s/n", pcap_geterr (PD ));
Exit (1 );
}
Pcap_colse (PD );
Exit (0 );
}
// End the program