Mfc+winpcap writing a sniffer five (filter module)

This section focuses on how to set capture filtering, where filtering refers to filtering before capturing

Setting capture filtering is done primarily in Cfilterdlg, which corresponds to the Settings Filter Rule dialog that you created earlier,

First, according to the user's choice to generate a valid filter rule string, according to WINPCAP requirements, the legal filtering rules can be the following:

The

1) expression supports logical operators that can be combined using the keyword and, or, and not subexpression, while supporting the use of parentheses.
2) protocol-based filtering to use protocol qualifiers, the Protocol qualifier can be IP, ARP, RARP, TCP, UDP, and so on.
3) filter based on MAC address to use qualifier ether (on behalf of Ethernet address), when the MAC address is only used as the source address when the expression is ether src mac_addr, When used only as the destination address, the expression is ether DST mac_addr, which is the ether host mac_addr when both the source address and the destination address. Also note that MAC_ADDR should conform to the 00:e0:4c:e0:38:88 format, or the filter will be compiled with an error.
5) port-based filtering should use the qualifier port. For example, a packet that receives only 80 ports is the expression port 80.

Below is a two example:
Example 1: Only ARP or ICMP packets are captured.
Filter expression: ARP or (IP and ICMP)
Example 2: Captures all UDP packets passed between the host 192.168.1.23 and 192.168.1.28.
Filter expression: (IP and UDP) and (host 192.168.1.23 or host 192.168.1.28)

This allows you to generate a valid filtering rule with the following code: first generate a click-OK trigger function, and then add the following code

1 voidCfilterdlg::onbnclickedok ()2 {3     //TODO: Add control notification handler code here4     if(1==m_tcp. Getcheck ())5     {   6FilterName + = _t ("(TCP and IP) or"); 7     }   8     if(1==m_udp. Getcheck ())9     {   TenFilterName + = _t ("(UDP and IP) or");  One     }    A     if(1==M_arp. Getcheck ()) -     {    -FilterName + = _t ("ARP or");  the     }     -     if(1==M_rarp. Getcheck ()) -     {    -FilterName + = _t ("Rarp or");  +     }    -     if(1==m_icmp. Getcheck ()) +     {    AFilterName + = _t ("(ICMP and IP) or");  at     }  -     if(1==M_igmp. Getcheck ()) -     {    -FilterName + = _t ("(IGMP and IP) or");  -     }   -      inFilterName = FilterName. Left (filtername. GetLength ()-4);//Note that the last superfluous "or" is removed, otherwise the filter rule is not established -  to Cdialogex::onok (); +  -}

Here we want to add a little bit about whether the check box and checkbox are judged by the choice of question

Determines whether the button is selected:

Check: 1 = = m_tcp. Getcheck ()

Select and check: cannot use Getcheck () can use the generic if (((CButton *) GetDlgItem (idc_radio1))->getcheck ()) with the button ID to choose

There are also differences between the default settings:

Check: M_tcp. SetCheck (1)

Radio and check: CheckDlgButton (idc_radio1, 1)

This means that both the check and the radio can be set by the ID of the button, and a special function is used to set the check.

Back to the program, after generating a valid string, the FilterName is returned to the main window, and the functions for setting and compiling the filter rules are also processed in the main window, as described in the next section.

Next section Mfc+winpcap writing a sniffer VI (Analysis module)

Mfc+winpcap writing a sniffer five (filter module)