Libpcap development set
Libpcap is a C language library. libpcap stands for packet capture library, which is the data packet capture function library. Its function is to capture packets over Ethernet through the network adapter. This library provides consistent C function programming interfaces for different platforms. On the platform where libpcap is installed, programs and applications written using libpcap as interfaces can be freely used across platforms. It supports multiple operating systems. Libpcap has a simple structure and is easy to use. It provides more than 20 API encapsulation functions. We can use these API functions to monitor network data packets required by the Network detector.
Libpcap Application
- Network statistics software
- Intrusion Detection System
- Network debugging
- Data packet filtering, supporting the filtering mechanism BPF
Libpcap Development Library instructions
The overall architecture of pcap-based Sniffer Program is as follows:
- First, you must determine which interface to start sniffing. In Linux, this may be eth0, but in BSD, it may be xl1. We can also use a string to define the device, or use the interface name provided by pcap to work.
- Initialize pcap. Here, we need to tell pcap which device to sniff. If you want to, we can sniff multiple devices. How can we differentiate them? Use a file handle. Just like opening a file for reading and writing, we must name our sniffing "sessions" to differentiate them.
- If you only want to sniff a specific transmission (such as a TCP/IP packet or a packet sent to port 23), You must create a rule set, compile and use it. This process is divided into three closely related stages. The rule set is placed in a string and converted to the format read by pcap (so it is compiled ). Compiling is actually to call a function in our program that is not used by external programs. Next we will tell pcap to use it to filter out the session we want. (This step is optional)
- Finally, we tell pcap to enter its subject execution loop. In this phase, pcap continues to work until it receives all the packages we want. Every time it receives a package, it calls another defined function. This function can do whatever we want. It can analyze the obtained package and print the result to the user, it can save the result as a file or do nothing.
- After sniffing the required data, we need to close the session and end it.
Main functions of the libpcap library
Function Name: Pcap_t * pcap_open_live (char * device, int snaplen, int promisc, int to_ms, char * ebuf)
Function: Get the description of the packet capture used to capture network packets.
Parameter description: The device parameter is the name of the network device that is enabled. The snaplen parameter defines the maximum number of bytes of captured data. Promisc specifies whether to place network interfaces in hybrid mode. The to_ms parameter indicates * Time-out period (MS ). The ebuf parameter is used to pass error messages only when the pcap_open_live () function returns NULL.
Function Name: Pcap_t * pcap_open_offline (char * fname, char * ebuf)
Function: Open the file that previously saved the captured data packet for reading.
Parameter description: The fname parameter specifies the name of the opened file. The data format in this file is compatible with tcpdump and tcpslice ." -"Is a standard input. The ebuf parameter is used to pass error messages only when the pcap_open_offline () function returns NULL.
Function Name: Pcap_dumper_t * pcap_dump_open (pcap_t * P, char * fname)
Function: Open the file used to save the captured data packet for writing.
Parameter description: When the fname parameter is "-", it indicates the standard output. If an error occurs, null is returned. The p parameter is the pcap structure pointer returned after the pcap_open_offline () or pcap_open_live () function is called. The fname parameter specifies the name of the opened file. If the return value is null, call the pcap_geterr () function to obtain the error message.
Function Name: Char * pcap_lookupdev (char * errbuf)
Function: Returns the network device name pointer that can be called by the pcap_open_live () or pcap_lookupnet () function. Parameter description: If a function error occurs, null is returned, and related error messages are stored in errbuf.
Function Name: Int pcap_lookupnet (char * device, bpf_u_int32 * netp, bpf_u_int32 * maskp, char * errbuf)
Function: Obtain the network ID and mask of the specified network device.
Parameter description: The netp and maskp parameters are both bpf_u_int32 pointers. If a function error occurs,-1 is returned, and related error messages are stored in errbuf.
Function Name: Int pcap_dispatch (pcap_t * P, int CNT, pcap_handler callback, u_char * User)
Function: Capture and process data packets.
Parameter description: The CNT parameter specifies the maximum value of the data packet processed before the function returns. CNT =-1 indicates that all data packets are processed in a buffer zone. CNT = 0 indicates that all data packets are processed until one of the following errors is generated: Read to EOF; read times out. The callback parameter specifies a callback function with three parameters: A u_char pointer passed from the pcap_dispatch () function and a pointer in the pcap_pkthdr structure, and a data packet size u_char pointer. If yes, the number of bytes read is returned. Zero value is returned when EOF is read. -1 is returned when an error occurs. You can call the pcap_perror () or pcap_geterr () function to obtain the error message.
Function Name: Int pcap_loop (pcap_t * P, int CNT, pcap_handler callback, u_char * User)
Function: The function is basically the same as the pcap_dispatch () function, but this function returns only when CNT data packets are processed or an error occurs, but does not return when reading times out. If a time-out setting with a non-zero value is specified for the pcap_open_live () function and the pcap_dispatch () function is called, The pcap_dispatch () function will return when the time-out occurs. When the CNT parameter is negative, the pcap_loop () function will always run cyclically unless an error occurs.
Function Name: Void pcap_dump (u_char * user, struct pcap_pkthdr * H, u_char * SP)
Function: Output A data packet to the file opened by calling the pcap_dump_open () function. This function can be used as a callback function for the pcap_dispatch () function.
Function Name: Int pcap_compile (pcap_t * P, struct bpf_program * FP, char * STR, int optimize, bpf_u_int32 netmask)
Function: Compile the string specified by the STR parameter into the filter program.
Parameter description: FP is a pointer to the bpf_program structure and is assigned a value in the pcap_compile () function. Optimize parameter control result code optimization. The netmask parameter specifies the network mask of the local network.
Function Name: Int pcap_setfilter (pcap_t * P, struct bpf_program * FP)
Function: Specifies a filter program.
Parameter description: The FP parameter is a bpf_program structure pointer, usually taken from pcap_compile () function call. -1 is returned when an error occurs; 0 is returned when the error is successful.
Function Name: U_char * pcap_next (pcap_t * P, struct pcap_pkthdr * H)
Function: Returns the u_char pointer pointing to the next packet.
Function Name: Int pcap_datalink (pcap_t * P)
Function: Return the data link layer type, for example, dlt_en10mb.
Function Name: Int pcap_snapshot (pcap_t * P)
Function: Return the snapshot parameter value after pcap_open_live is called.
Function Name: Int pcap_is_swapped (pcap_t * P)
Function: Whether the byte sequence of the current system host is different from that of the opened file.
Function Name: Int pcap_major_version (pcap_t * P)
Function: Returns the major version number of the pcap function used to write the opened file.
Function Name: Int pcap_minor_version (pcap_t * P)
Function: Return the minor version number of the pcap function used to write the opened file.
Function Name: Int pcap_stats (pcap_t * P, struct pcap_stat * PS)
Function: Assign a value to the pcap_stat structure. If the call succeeds, 0 is returned. These values include data packet statistics that have been captured since data capture. If an error occurs or data packet statistics is not supported,-1 is returned. You can call the pcap_perror () or pcap_geterr () function to obtain the error message.
Function Name: File * pcap_file (pcap_t * P)
Function: Returns the name of the opened file.
Function Name: Int pcap_fileno (pcap_t * P)
Function: Returns the description number of the opened file.
Function Name: Void pcap_perror (pcap_t * P, char * prefix)
Function: The last pcap library error message is displayed on the standard output device. The message header is a string specified by the prefix parameter.
Function Name: Char * pcap_geterr (pcap_t * P)
Function: Returns the last pcap database error message.
Function Name: Char * pcap_strerror (INT error)
Function: If the strerror () function is unavailable, you can use the pcap_strerror function instead.
Function Name: Void pcap_close (pcap_t * P)
Function: Close the file corresponding to the p parameter and release the resource.
Function Name: Void pcap_dump_close (pcap_dumper_t * P)
Function: Close the opened file.
Libpcap Development Library Installation
- Download the latest libpcap-0.9.6.tar.gz from www.tcpdump.org
- Unzip the installation package: tar-zxvf libpcap-0.9.6.tar.gz to generate a directory libpcap-0.9.6
- CD libpcap-0.9.6
- ./Configure
- Make; Make installl
In turbolinux, Libpcap is already one of the basic libraries and does not need to be downloaded.
Libpcap development library example
The following is a packet capture program test. C. Each time a packet is captured, the message "a packet is captured!" is printed !".
#include <stdio.h>
#include <pcap.h>
int main (int argc, char* argv[])
{
/*the printer running when packet have captured*/
void printer()
{
printf("A packet is captured!/n");
return;
}
/*the error code buf of libpcap*/
char ebuf[PCAP_ERRBUF_SIZE];
/*create capture handler of libpcap*/
pcap_t *pd = pcap_open_live ("eth0", 68, 0, 1000, ebuf);
/*start the loop of capture, loop 5 times, enter printer when capted*/
pcap_loop (pd, 5, printer, NULL);
pcap_close (pd);
return 0;
}
- Compile gcc-O test. C-lpcap
- Run./test
- Output result:
A packet is captured!
A packet is captured!
A packet is captured!
A packet is captured!
A packet is captured!