Sniffer program based on Libpcap Library

Sniffer program based on Libpcap Library

The Libpcap library is the foundation of the Wiresharek and tcpdump grab packages, and we can use Libcap to implement our own packet capture program, capture packet analysis on the web, or use the results of processing for business purposes.

1. Structure of the packet crawled by the Libpcap

Before implementing our Libcap-based program, let's take a look at the structure of the network packets crawled by Libpcap (Wiresharek and Tcpdump). The following is an example of a TCP/IP protocol package:

The above packet has 6 parts: file header, datagram header, Ethernet frame header, IP header, TCP header, and data domain. Where the file header is added to the Libpcap crawl packet, not related to network communication. Data fields are data that an application needs to process. The other part is the operating system needs to handle.

1.1. File Header:

The detailed structure of the file header is as follows:

The format of the file header defined in Pcap.h is as follows:

struct Pcap_file_header {

Bpf_u_int32 Magic;

U_short version_major;

U_short Version_minor;

Bpf_int32 Thiszone;

Bpf_u_int32 SigFigs;

Bpf_u_int32 Snaplen;

Bpf_u_int32 Linktype;

};

The fields have the following meanings:

L Magic: 4b:0x1a 2B 3C 4 D: Used to identify the file itself and byte order. 0XA1B2C3D4 is used to indicate that it is read in the original order, and 0XD4C3B2A1 indicates that the following bytes are exchanged sequentially for reading. Generally, we use 0XA1B2C3D4

L Major:2b,0x02 00: Main version number of the current file

L Minor:2b,0x04 00 Minor version number of the current file

L thiszone:4 B time zone. The difference between GMT and local time is expressed in seconds. If the local time zone is GMT, the value is set to 0. This value is also set to 0 sigfigs:4b time stamp precision; all zeros

L snaplen:4 B Maximum storage length (this value sets the maximum length of the captured packet, if all packets are to be captured, set the value to 65535; For example: to get the first 64 bytes of a packet, set the value to 64)

L linktype:4 B link Type

Common types:

0 BSD loopback devices, except for later OpenBSD
1 Ethernet,and Linux Loopback devices
6 802.5 tokenring
7 ARCnet
8 SLIP
9 PPP
Ten FDDI
Llc/snap-encapsulated ATM
101 "Raw IP" with no link
102 Bsd/os SLIP
103 Bsd/os PPP
104 Cisco HDLC
105 802.11
108 later OpenBSD Loopbackdevices (with the Af_value in Network byte order)
113 Special Linux "cooked" capture
LocalTalk

1.2. Data header

PCAP.H the structure of the data header:

structpcap_pkthdr{

struct Timeval ts;

Bpf_u_int32 Caplen;

Bpf_u_int32 Len;

};

Structtimeval {

Long tv_sec;

suseconds_t tv_usec;

};

L TS:8 bytes Packet capture time 4 bytes represents the number of seconds, and 4 bytes represents the number of microseconds. Note that the data type of TS is Timeval, while the tv_sec and tv_usec in Timeval are 8 bytes on 64-bit machines, the pcap_pkthdr size is 24 bytes, and the data header on the network is 16 bytes, Therefore, when processing the packet, it is not possible to directly map the crawled data to this data structure.

L caplen:4 bytes saved packet length (up to Snaplen, e.g. 68 bytes)

L Len:The true length of the 4-byte datagram, which may be larger than Caplen if it is not a full packet.

1.3. Ethernet Frame Header

Slightly

1.4. IP Data Header

L Version : 4-bit, refers to the IP protocol version. The IP protocol versions used by both sides of the communication must be consistent. The current widely used IP protocol version number is 4 (that is, IPv4). With regard to IPV6, it is still in the draft stage.

L The first ministerial degree occupies 4 bits, the maximum decimal value that can be expressed is 15. Note that the unit of the number represented in this field is 32 bits in length (a 32-bit word length is 4 bytes), so when the IP header length is 1111 (that is, the decimal 15), the header length reaches 60 bytes. When the header length of an IP packet is not an integer multiple of 4 bytes, it must be populated with the last fill field. Therefore, the data part will always start at 4-byte integer multiples, which makes it more convenient to implement the IP protocol. The disadvantage of a header length limit of 60 bytes is sometimes not enough. However, this is done in the hope that users will minimize overhead. The most commonly used header length is 20 bytes (that is, the header length is 0101), and no options are used.

• 8-bit service type for better service. This field is called the service type in the old standard, but it has not been used in practice. 1998 the IETF renamed this field to differentiate Service DS (differentiated Services). This field only works if you are using differentiated services.

L Total length length refers to the length of the header and the sum of the data, in bytes. The total Length field is 16 bits, so the maximum length of the datagram is 216-1 = 65535 bytes.

Each data link layer below the IP layer has its own frame format, which includes the maximum length of the data field in the frame format, which is called the Maximum Transfer Unit MTU (Maximum Transfer unit). When a datagram is encapsulated into a link-layer frame, the total length of the datagram (that is, the header plus the data portion) must not exceed the MTU value of the data link layer below.

L Identification (identification) 　 occupies 16 bits. The IP software maintains a counter in memory, each generating a datagram, the counter adds 1, and assigns this value to the identity field. However, this "identity" is not an ordinal, because IP is a no-connect service, the datagram does not exist in order to receive problems. When a datagram must be fragmented because it is longer than the MTU of the network, the value of the identity field is copied to the identity field of all datagrams. The same value of the identity field causes the fragmented datagram to be correctly re-installed as the original datagram.

Flag is 3-bit, but at present only 2 bits are meaningful.

• The lowest bit in the Flag field is recorded as MF (morefragment). Mf=1 is a datagram that says "There are shards" later. Mf=0 says this is the last of several datagrams.
• The one in the middle of the flag field is recorded as DF (Don ' tfragment), meaning "cannot shard." Shards are allowed only when df=0.

The offset of the L sheet is 13 bits. The slice offset indicates the relative position of a piece in the original group after a long grouping in the Shard. That is, relative to the starting point of the User data field, the slice starts from where. The slice offset is offset in 8 bytes. This means that the length of each shard must be an integer multiple of 8 bytes (64 bits).

L 8-bit survival time , the English abbreviation used for the time-to-live field is TTL, which indicates the lifetime of the datagram in the network. This field is set by the source point at which the datagram is emitted. The aim is to prevent the inability to deliver data in a way that is unrestrained in the Internet and thus consumes network resources in vain. The original design was in seconds as the TTL unit. Each time a router is passed, the TTL is subtracted from the datagram when it is consumed by the router. If the datagram consumes less than 1 seconds on the router, the TTL value is reduced by 1. When the TTL value is 0 o'clock, the datagram is discarded.

The protocol is 8 bits, and the Protocol field indicates what protocol the data is carrying, so that the IP layer of the destination host knows which process to give the data part to.

L First test and accounted for 16 bits. This field only examines the header of the datagram, but does not include the data section. This is because the router has to recalculate the first check and (some fields, such as lifetime, flag, slice offset, and so on) every time a router is passed. Do not test the data section to reduce the amount of computational effort.

L The source address occupies 32 bits.

L The destination address occupies 32 bits.

1.5. TCP Data Header

L Source Port number (16-bit): it (even the same-origin host IP address) identifies an application process for the source host.

L Destination Port number (16-bit): it (together with the destination host IP address) identifies an application process for the destination host. These two values, together with the source host IP address in the IP header and the destination host IP address, uniquely determine a TCP connection.

L Sequential number (32-bit): Used to identify the data stream sent from the TCP source to the TCP destination, which represents the sequence number of the first data byte in this segment. If you consider a stream of bytes as a one-way flow between two applications, TCP counts each byte with a sequential number. The number is an unsigned number of 32bit, and the sequence number reaches 2 32-1 and starts at 0. When a new connection is established, the SYN flag becomes 1, and the Sequence number field contains the initial order number of the connection selected by this host (Initial Sequence numbers).

L Confirmation Number (32-bit): Contains the next sequence number expected to be received at the end of the send acknowledgement. Therefore, the confirmation sequence number should be the last time the data byte order was successfully received plus 1. Only the ACK flag is 1 o'clock to confirm that the ordinal field is valid. TCP provides full duplex service to the application layer, which means data can be transferred independently in two directions. Therefore, each end of the connection must maintain the transmit data sequence number in each direction.

L TCP Header length (4 bits): gives the number of 32bit words in the header, which actually indicates where the data starts. This value is required because the length of the optional field is variable. This field accounts for 4bit, so TCP has a maximum of 60 bytes of headers. However, there is no optional field, and the normal length is 20 bytes.

L reserved bit (6 bit): Reserved for future use, currently must be set to 0.

L Control bit (Controlflags, 6 bit): There are 6 flag bits in the TCP header, and multiple of them can be set to 1 at the same time. In turn:

URG : 1 indicates that the emergency pointer is valid and 0 ignores the emergency pointer value.

ACK : 1 indicates that the confirmation number is valid, and 0 indicates that the message does not contain a confirmation message, ignoring the confirmation number field.

PSH : 1 indicates that the data with the PUSH flag indicates that the receiver should hand over the segment to the application layer without waiting for the buffer to fill. When a message at the application layer is split by the network layer at two packets, the first packet has a PSH of 0 and the second packet is 1.

RST : Used to reset a connection that was faulty due to a host crash or other cause. It can also be used to reject illegal message segments and deny connection requests. In general, if you receive a message with a RST of 1, some problems must have occurred.

SYN : The synchronization sequence number, which is 1 for connection requests, is used to establish the connection and synchronize the sequence number (synchronize).

FIN : Used to release the connection, 1 means that the sender has no data to send, that is, to turn off this party traffic.

L Window Size (16 bits): The number of bytes of data representing the number of bytes that the source can receive from the confirmation number, that is, the Source Party receive window size. The window size is a 16bit field, so the maximum window size is 65535 bytes.

L Checksum (16-bit): This checksum is for the entire TCP segment, including TCP headers and TCP data, calculated in 16-bit words. This is a mandatory field that must be computed and stored by the sending side and validated by the receiving side.

L Emergency Pointer (16-bit): only if the URG flag is placed 1 o'clock the emergency pointer is valid. The emergency pointer is a positive offset, and the sum of the values in the Sequence Number field represents the ordinal of the last byte of the emergency data. The emergency mode of TCP is a way of sending an emergency data to the other end.

L Options : The most common optional field is the longest message size, also known as MSS (maximumsegment size). Each connector typically indicates this option in the first message segment of the communication (the segment that sets the SYN flag for establishing the connection), which indicates the maximum length of the message segment that can be received at the local end. The option length is not necessarily an integer multiple of 32-bit characters, so fill the bit so that the header length becomes the whole word count.

L Data: The data portion of the TCP message segment is optional. When a connection is established and a connection is terminated, the message segments exchanged by both parties are only TCP headers. If a party has no data to send, it also uses the header without any data to confirm the received data. In many cases where the timeout is processed, a segment of the message without any data is also sent.

2. Sniffer code example

To be Continued ...

Reference article:

Http://blog.chinaunix.net/uid-26366978-id-3282793.html

http://www.tcpdump.org/

Http://www.tcpdump.org/pcap.html

Http://www.360doc.com/content/14/0220/11/15257968_354157537.shtml

Http://www.cnblogs.com/hnrainll/archive/2012/06/17/2552943.html

Sniffer program based on Libpcap Library