Winpcap Study Notes (2)

Copyright information:

This article is from the Internet. reposted here for the study and use by network programmers. Please respect the author's Labor achievements. Unauthorized commercial use of the original author's articles is an infringement. The consequences shall be borne by the user and I shall not assume any legal liability.

 

Today, when reading Winpcap manual, I found a sentence:

"This means that on shared media (like non-switched Ethernet), Winpcap will be able to capture the packets of other hosts ."

In my understanding, if you set the NIC to promiscuous mode on a network that is connected through a hub without the exchange function, Winpcap can capture packets sent by other hosts. Can the network Winpcap with the switch function still work? This will be tested in later internships.

Test Procedure 2:

/*
* Test the interception of data packets. Print a list of all network adapters, and then select
* The adapter on which the data packet is intercepted. The pcap_loop () function intercepts
* Data packets are sent to the callback function packet_handler () for processing.

* This program provides a preliminary understanding of how to use Winpcap to intercept data packets and
* Functions and struct that are important when data packets are intercepted.
* 2006-
*/

# Include <pcap. h>
# Include <remote-ext.h>

/* Prototype of the packet handler */
Void packet_handler (u_char * Param, const struct pcap_pkthdr * Header, const u_char * pkt_data );

Int main (){
Pcap_if_t * alldevs;
Pcap_if_t * D;
Int inum;
Int I = 0;
Pcap_t * adhandle;
Char errbuf [pcap_errbuf_size];

/* Retrieve the devices list on the local machine */
If (pcap_findalldevs_ex (pcap_src_if_string, null, & alldevs, errbuf) =-1)
{
Fprintf (stderr, "error in pcap_findalldevs: % s/n", errbuf );
Exit (1 );
}

/* Print the list */
For (D = alldevs; D = D-> next)
{
/* Print name */
Printf ("% d. % s", ++ I, d-> name );

/* Print Description */
If (D-> description)
{
Printf ("(% s)/n", D-> description );
}
Else
{
Printf ("(no description available)/n ");
}
}

If (I = 0)
{
Printf ("/Nno interfaces found! Make sure Winpcap is installed./N ");
Return-1;
}

/* Select an adapter */
Printf ("Enter the interface number (1-% d):", I );
Scanf ("% d", & inum );

If (inum <1 | inum> I)
{
Printf ("/ninterface number out of range./N ");
/* Free the device list */
Pcap_freealldevs (alldevs );
Return-1;
}

/* Jump to the selected adapter */
For (D = alldevs, I = 0; I <inum-1; D = D-> next, ++ I );

/* Open the device */
If (adhandle = pcap_open (D-> name,/* Name of the device */
65536,/* portion of the packet to capture */
/* 65535 guarantees that the whole packet will be captured on all the link layers */
Pcap_openflag_promiscuous,/* promiscuous mode */
1000,/* read timeout */
Null,/* authentication on the remote machine */
Errbuf/* Error Buffer */
) = NULL)
{
Fprintf (stderr, "/nnable to open the adapter. % s is not supported by Winpcap/N", D-> name );
/* Free the devices list */
Pcap_freealldevs (alldevs );

Return-1;
}

Printf ("/nlistening on % s.../N", D-> description );

/* At this point, we don't need any more the device list. Free It */
Pcap_freealldevs (alldevs );
/* Start the capture */
Pcap_loop (adhandle, 0, packet_handler, null );

Return 1;
}

/* Callback function invoked by libpcap for every incoming packet */
Void packet_handler (u_char * Param, const struct pcap_pkthdr * Header, const u_char * pkt_data ){
Struct TM * ltime;
Char timestr [16];

/* Convert the timestamp to readable format */
Ltime = localtime (& header-> TS. TV _sec );
Strftime (timestr, sizeof (timestr), "% H: % m: % s", ltime );
Printf ("% s, %. 6D Len: % d/N", timestr, header-> TS. TV _usec, header-> Len );
}

Function 1:

Pcap_t * pcap_open (const char * source,

Int snaplen,

Int flags, [Page]

Int read_timeout,

Struct pcap_rmtauth * auth,

Char * errbuf

)

Open a common source for capturing/sending data. Pcap_open () can replace all pcap_open_xxx () functions. It hides the differences between different pcap_open_xxx () functions, so programmers do not have to use different open functions.

Source: a string that contains the name of the source to be opened ending with '/0. The source name must contain the new source specification syntax (source specification syntax) and cannot be null. To facilitate the use of the source syntax, remember: (1) the adapter (NIC) returned by pcap_findalldevs_ex () can be directly used by pcap_open (); (2) if you want to pass your own source string to pcap_open (), pcap_createsrcstr () can create the correct source ID.

Snaplen: the length of the data packet to be retained. For each packet received by the filter, the content of the first 'snaplen' byte will be saved to the buffer and transmitted to the user program. For example, if snaplen is equal to 100, only the first 100 bytes of content of each packet is saved. In short, the content from the beginning of each package to snaplen will be saved.

Flags: saves some labels required for packet capture. Winpcap defines three types of labels:

L pcap_openflag_promiscuous: 1, which defines whether the adapter (NIC) enters promiscuous mode ).

L pcap_openflag_datatx_udp: 2, which defines whether UDP is used for data transmission (for example, remote packet capture.

L pcap_openflag_nocapture_rpcap: 4, which defines whether a remote detector can capture its own data packets.

Read_timeout: in milliseconds. Read timeout is used to set that when a data packet is encountered, the read operation does not need to return immediately, but waits for a period of time, so that more data packets can be read at a time from the OS kernel. Not all platforms support read timeout; it is ignored on platforms that do not support read timeout.

Auth: a pointer to 'struct pcap_rmtau' to save the necessary information when a user logs on to a remote machine. If it is not a remote packet capture, the pointer is set to null.

Errbuf: a pointer to the buffer requested by the user to store the error message when the function fails.

The returned value is a 'pcap _ t' pointer, which can be used as a parameter for next call (for example, pcap_compile () and specify an opened Winpcap session. In case of a problem, it returns NULL and the 'errbuf' variable saves the error message.

Function 2:

Int pcap_loop (pcap_t * P,

Int CNT,

Pcap_hander callback,

U_char * User

)

Collects a group of data packets. Pcap_loop () is similar to pcap_dispatch (), but it keeps reading data packets until the CNT package is processed or an error occurs. When there is an active read timeout (read timeout), it does not return. However, it is better to specify a non-zero read timeout (read timeout) for pcap_open_live () and call pcap_dispatch () to receive and process all incoming data packets when a timeout occurs. CNT indicates the maximum number of data packets to be processed before the return. If CNT is a negative value, pcap_loop () continues until an error occurs ). If an error occurs,-1 is returned. If CNT is used up, 0 is returned. If pcap_breakloop () is called before any package is processed,-2 is returned. Therefore, if pcap_breakloop () is used in the program, you must accurately determine whether the returned value is-1 or-2, rather than simply <0.

Function 3:

Hypedef void (* pcap_handler) (u_char * user,

Const struct pcap_pkthdr * pkt_header,

Const u_char * pkt_data)

The callback function prototype of the received data packet. When the user program uses pcap_dispatch () or pcap_loop (), data packets are sent to the application using this callback method. User parameters are defined by the user to capture the session status. They must be consistent with those of pcap_dispatch () and pcap_loop. Pkt_hader is the header related to the packet capture driver. Pkt_data points to the data in the package, including the protocol header.

Struct 1:

Struct pcap_pkthdr {

Struct timeval ts;

Bpf_u_int32 caplen;

Bpf_u_int32 Len;

}

TS: Timestamp

Cpalen: the length of the current group.

Len: the length of the data packet.
 

This article from China protocol analysis network | www.cnpaf.net Original article links: http://www.cnpaf.net/Class/winpcap/200610/16293.html