Crawl and restore of WINPCAP data packet

Last Update:2018-07-17 Source: Internet

Author: User

Tags ack reserved stdin

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

WINPCAP Technical Manual, in addition to the installation file Doc file under a help, here in a: http://www.ferrisxu.com/WinPcap/html/index.html

Once we grab the packet with the PCAP_NEXT_EX function, we're going to start extracting the key information from it, which I've saved in the Pkt_data and then passed to the processing function.

The code is as follows, and I have written it very clearly. MAC addresses are acquired at the data link layer, and other such as port number, IP, etc. are obtained by analyzing IP packets and TCP packets.

The only thing to be aware of is the size of the byte when defining the structure, or the information you get is wrong.

#include <stdio.h> #include <iostream> #define Have_remote #include "pcap.h" #include "remote-ext.h" #pragma

Comment (lib, "Ws2_32.lib") #pragma comment (lib, "Wpcap.lib") using namespace std;

file* FP;		Definition of Ethernet Protocol format typedef struct ETHER_HEADER {U_char ether_dhost[6];		Target address U_char ether_shost[6];			Source Address U_short Ether_type;

Ethernet type}ether_header;
	The user holds 4 bytes of IP address typedef struct IP_ADDRESS {U_char byte1;
	U_char Byte2;
	U_char Byte3;
U_char byte4;


}ip_address; The first typedef for saving IPV4 struct Ip_header {#ifdef Words_bigendian u_char ip_version:4, header_length:4; #else U_char
Header_length:4, Ip_version:4;		#endif U_char VER_IHL;			Version as well as the first ministerial degree, each 4-bit u_char tos;		Service quality u_short Tlen;		Total length u_short identification;			Identity recognition u_short offset;			Group offset U_char TTL;		Life cycle U_char Proto;		protocol type U_short checksum;	Baotou test code ip_address saddr;	Source IP address ip_address daddr;		Destination IP address u_int op_pad;

Optional Fill field}ip_header; Save TCP header typedef struct TCP_header {u_short sport;
	U_short dport;		U_int sequence;					Sequence code U_int ack;		Reply Code #ifdef Words_bigendian U_char offset:4, Reserved:4;		Offset reserved #else U_char reserved:4, Offset:4;				Reserve offset #endif U_char flags;			Flag U_short windows;			Window size U_short checksum;		Calibration and U_short urgent_pointer;

Emergency pointer}tcp_header;			typedef struct UDP_HEADER {u_int32_t sport;			Source Port u_int32_t Dport;				Target Port u_int8_t Zero;				Reserved bit u_int8_t proto;			Protocol identification u_int16_t Datalen;

UDP data length}udp_header;				typedef struct ICMP_HEADER {u_int8_t type;				ICMP type u_int8_t code;			Code u_int16_t checksum;	Calibration and u_int16_t identification;			Identification u_int16_t sequence;		Serial number u_int32_t init_time;		Initiate time stamp u_int16_t recv_time;		Receive time stamp u_int16_t send_time;

Transmission time stamp}icmp_header;
    typedef struct ARP_HEADER {u_int16_t arp_hardware_type;
    u_int16_t Arp_protocol_type;
    u_int8_t arp_hardware_length;
    u_int8_t arp_protocol_length; u_int16_t Arp_opeRation_code;
    u_int8_t Arp_source_ethernet_address[6];
    u_int8_t Arp_source_ip_address[4];
    u_int8_t Arp_destination_ethernet_address[6];
u_int8_t Arp_destination_ip_address[4];

}arp_header; void Tcp_protocol_packet_handle (U_char *argument, const struct PCAP_PKTHDR *packet_header, const U_char *packet_cont
	ENT) {struct Tcp_header *tcp_protocol;
	U_short Sport;
	U_short dport;
	int header_length;
	U_short windows;
	U_short Urgent_pointer;
	U_int sequence;
	U_int acknowledgement;
	U_short checksum;

	U_char flags;

	printf ("===========tcp protocol===========\n");
	Tcp_protocol = (struct tcp_header*) (packet_content + 14 + 20);
	Sport = Ntohs (tcp_protocol->sport);
	Dport = Ntohs (Tcp_protocol->dport);
	Header_length = Tcp_protocol->offset * 4;
	sequence = Ntohl (tcp_protocol->sequence);
	Acknowledgement = Ntohl (tcp_protocol->ack);
	Windows = Ntohs (tcp_protocol->windows);
	Urgent_pointer = Ntohs (Tcp_protocol->urgent_pointer); Flags = tcp_protocol-&Gt;flags;

	Checksum = Ntohs (tcp_protocol->checksum);

	fprintf (FP, "%d0%d%d%c%d", Header_length, Sport, Dport, Flags, windows);
	Switch (dport) {default:break;
	} if (Flags & 0x08) printf ("PSH");
	if (Flags & 0x10) printf ("ACK");
	if (Flags & 0x02) printf ("SYN");
	if (Flags & 0x20) printf ("URG");
	if (Flags & 0x01) printf ("FIN");
	if (Flags & 0x04) printf ("RST");
printf ("\ n"); } void Udp_protocol_packet_handle (U_char *argument, const struct PCAP_PKTHDR *packet_header, const U_char *packet_con
	Tent) {struct udp_header* udp_protocol;
	U_short Sport;
	U_short dport;
	
	U_short Datalen;
	Udp_protocol = (struct udp_header*) (packet_content + 14 + 20);
	Sport = Ntohs (udp_protocol->sport);
	Dport = Ntohs (Udp_protocol->dport);

	Datalen = Ntohs (Udp_protocol->datalen);
fprintf (FP, "0%d%d%d", Datalen, Sport, dport); } void Arp_protocol_packet_handle (U_char *argument, const struct PCAP_PKTHDR *packet_header, const U_char *packet_con Tent) {struct Arp_header *arp_protocol;   
    U_short Protocol_type;   
    U_short Hardware_type;   
    U_short Operation_code;   
    U_char hardware_length;   

	U_char protocol_length;
	struct tm* ltime;
	Char timestr[16];
	time_t local_tv_sec;
	Local_tv_sec = packet_header->ts.tv_sec;
	Ltime = LocalTime (&local_tv_sec);

    Strftime (timestr, sizeof (TIMESTR), "%h:%m:%s", ltime);   
    printf ("--------ARP protocol--------\ n");   
    Arp_protocol = (struct arp_header*) (packet_content + 14);   
    Hardware_type = Ntohs (Arp_protocol->arp_hardware_type);   
    Protocol_type = Ntohs (Arp_protocol->arp_protocol_type);   
    Operation_code = Ntohs (Arp_protocol->arp_operation_code);   
    Hardware_length = arp_protocol->arp_hardware_length;
	
	Protocol_length = arp_protocol->arp_protocol_length;

    fprintf (FP, "%d%s", Protocol_length, TIMESTR);   
            Switch (operation_code) {case 1:printf ("ARP Request protocol \ n");   
        Break Case2:printf ("ARP reply protocol \ n");   
        Break   
            Case 3:printf ("Rarp request protocol \ n");   
        Break   
            Case 4:printf ("Rarp answer protocol \ n");   
        Break   
    Default:break; } void Icmp_protocol_packet_handle (U_char *argument, const struct PCAP_PKTHDR *packet_header, const U_char *PA
	cket_content) {struct Icmp_header *icmp_protocol;
	U_short type;
	U_short Datalen;
	U_int Init_time;
	U_int Recv_time;

	U_int Send_time;
	Icmp_protocol = (struct icmp_header*) (packet_content + 14 + 20);
	Datalen = sizeof (ICMP_PROTOCOL);
	Type = icmp_protocol->type;
	Init_time = icmp_protocol->init_time;
	Recv_time = icmp_protocol->recv_time;

	Send_time = icmp_protocol->send_time;

fprintf (FP, "%d%c%d%d%d", Datalen, type, Init_time, Recv_time, send_time);

	printf ("===========icmp protocol==========\n");
	Switch (icmp_protocol->type) {case 8://Echo Request message break; Case 0://Echo responseText break;
	Default:break; } void Ip_protocol_packet_handle (U_char *argument, const struct PCAP_PKTHDR *packet_header, const U_char *packet_
	Content) {struct Ip_header *ip_protocol;
	U_int header_length;
	U_char tos;
	
	U_short checksum;
	IP_Address saddr;
	IP_Address daddr;
	U_char TTL;
	U_short Tlen;
	U_short identification;

	U_short offset;

	printf ("===========ip protocol===========\n");
	Ip_protocol = (struct ip_header*) (packet_content + 14);
	Header_length = Ip_protocol->header_length * 4;
	Checksum = Ntohs (ip_protocol->checksum);
	TOS = ip_protocol->tos;

	offset = Ntohs (ip_protocol->offset);
	SADDR = ip_protocol->saddr;
	DADDR = ip_protocol->daddr;
	TTL = ip_protocol->ttl;
	Identification = ip_protocol->identification;
	Tlen = ip_protocol->tlen;

	offset = ip_protocol->offset;

	fprintf (FP, "%d%d%c%d%d%d", Saddr, Daddr, TTL, identification, tlen, offset); Switch (ip_protocol->proto) {case 6:tcp_protocol_packet_handle (argumeNT, Packet_header, packet_content);
	Break
		Case 17:udp_protocol_packet_handle (argument, Packet_header, packet_content);
	Break
		Case 1:icmp_protocol_packet_handle (argument, Packet_header, packet_content);
	Break
	Default:break; } void Ethernet_protocol_packet_handle (U_char *argument, const struct PCAP_PKTHDR *packet_header, const U_CHAR		*packet_content) {u_short ethernet_type;		Ethernet type struct Ether_header *ethernet_protocol;			Ethernet protocol variable U_char *mac_string;		Ethernet Address Ethernet_protocol = (struct ether_header*) packet_content;
	Get Ethernet data Content printf ("Ethernet type is: \ n");	Ethernet_type = Ntohs (Ethernet_protocol->ether_type);

	

	Get Ethernet type printf ("%04x\n", Ethernet_type);
		Switch (ethernet_type) {case 0x0800:printf ("The network layer is IP protocol\n");
	Break
		Case 0x0806:printf ("The network layer is ARP protocol\n");
	Break
	Default:break;
	//Get Ethernet Source Address//printf ("MAC source adress is: \ n"); mac_string = ethernet_protocol-&Gt;ether_shost; fprintf (FP, "%02x:%02x:%02x:%02x:%02x:%02x", *mac_string, * (mac_string + 1), * (Mac_string + 2), * (Mac_string + 3)

	, * (mac_string + 4), * (mac_string + 5));
	Get Ethernet destination//printf ("MAC Target address is: \ n");
	mac_string = ethernet_protocol->ether_dhost; fprintf (FP, "%02x:%02x:%02x:%02x:%02x:%02x", *mac_string, * (mac_string + 1), * (Mac_string + 2), * (Mac_string + 3)

	, * (mac_string + 4), * (mac_string + 5));

	fprintf (FP, "%d", sizeof (packet_content));
		Switch (ethernet_type) {case 0x0800:ip_protocol_packet_handle (argument, Packet_header, packet_content);
	Break
	Default:break;
	int main () {pcap_if_t *alldevs;
	pcap_if_t *d;
	pcap_t *adhandle;
	Char Errbuf[pcap_errbuf_size];
	int inum;
	int i = 0;
	U_int netmask;
	Char packet_filter[] = "IP and TCP";
	struct Bpf_program fcode;
	int res;
	struct PCAP_PKTHDR *header;
	struct TM *ltime;
	Const U_char *pkt_data;
	time_t local_tv_sec;
	Char timestr[16];

	Ip_header *ih;Get device List PCAP_FINDALLDEVS_EX () if (PCAP_FINDALLDEVS_EX (pcap_src_if_string, NULL, &alldevs, errbuf) = = 1) {Fprint
		F (stderr, "Error in Pcap_findalldevs:%s\n", errbuf);
	Exit (1);
		for (d = Alldevs D; d = d->next) {printf ("%d.%s", ++i, D->name);
		if (d->description) {printf ("(%s) \ n", d->description);
		else {printf ("No description available\n"); } if (0 = i) {printf ("\nno interface found!
		Make sure WinPcap is installed\n ");
	return-1;
	printf ("Enter" interface Number (1-%d): ", I);
	scanf_s ("%d", &inum);
		if (Inum < 1 | | inum > i) {printf ("\ninterface number out of range.\n");
		Pcap_freealldevs (Alldevs);
	return-1;
	for (d = alldevs, i = 0; i < inum-1; d=d->next, i++); Jump to the device, turn on the adapter//device name, the portion of the packet to be captured (65536 guaranteed to capture the full contents of each packet on the different data link layers), promiscuous mode, read timeout, error buffer pool if (Adhandle = pcap_open_live (d >name, 65536, 1, 1000, errbuf)) = = NULL) {fprintf (stderr, "\nunable to open" adapter.%s are not supported by WINPCAp\n ", errbuf);
		Pcap_freealldevs (Alldevs);
	return-1; //Check the Data Link layer (Ethernet only) if (Pcap_datalink (adhandle)!= dlt_en10mb) {fprintf (stderr, \nthis.
		ET networks.\n ");
		Pcap_freealldevs (Alldevs);
	return-1; } if (d->addresses!= NULL) {//Get the mask of the first address of the interface netmask = ((struct sockaddr_in*) (d->addresses->netmask))-> Sin_addr. S_un.
	S_ADDR;
	else {netmask = 0XFFFFFF; /*//Compile filter if (Pcap_compile (Adhandle, &fcode, Packet_filter, 1, netmask) < 0) {fprintf (stderr, "\nunable to Compile the packet filter.
		Check the syntax\n ");
		Pcap_freealldevs (Alldevs);
	return-1;
		//Set Filter if (Pcap_setfilter (Adhandle, &fcode) < 0) {fprintf (stderr, "\nerror setting the filter.\n");
		Pcap_freealldevs (Alldevs);
	return-1;
printf ("\nlistenting on%s...\n", d->description);

	* * fp = freopen ("In.txt", "W", stdin);
	while (res = PCAP_NEXT_EX (Adhandle, &header, &pkt_data)) >= 0) {//Request Timeout if (0 = res) {		Continue

		}//Analysis packet Ethernet_protocol_packet_handle (NULL, header, Pkt_data);
		Converts a timestamp to a recognizable format local_tv_sec = header->ts.tv_sec;
		Ltime = LocalTime (&local_tv_sec);
		Strftime (timestr, sizeof (TIMESTR), "%h:%m:%s", ltime); IH = (Ip_header *) (Pkt_data + 14);

		Ethernet head Length//Output time and IP information printf ("%s.%.6d len:%d", Timestr, Header->ts.tv_usec, Header->len); printf ("%d.%d.%d.%d->%d.%d.%d.%d\n", Ih->saddr.byte1, Ih->saddr.byte2, ih->saddr. 
			Byte3, Ih->saddr.byte4, Ih->daddr.byte1, Ih->daddr.byte2, Ih->daddr.byte3,
	IH-&GT;DADDR.BYTE4);
		if ( -1 = res) {printf ("Error reading the Packet:%s\n", Pcap_geterr (Adhandle));
	return-1;

	} pcap_freealldevs (Alldevs);
	Fclose (FP);

	Fclose (stdin);
return 0; }

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More