Network analysis program based on WINPCAP implementation under. NET (ii) __.net

The focus of this time is on the parsing of the data. Specific WinPcap operation, because the Official handbook has been very good and powerful, I will not nonsense. Just leave a link here, you can see it on your own.

Chinese Manual: Http://www.coffeecat.net.cn/winpcap/html/index.html

Now, let's say we've crawled into a packet. Packet parsing also involves a large number of decimal points. For convenience, this is not a detailed distinction, only described in a more common format, and still IPv4.

Packets obtained through WINPCAP, 0 to 5 bits of which 6 byte are the destination MAC address, 6 to 11 of these 6 byte are the source MAC address. The next 12, 132 bits are Ethernet types. Here is a total of 14 bits is the IP packet header, not counted in the packet.

The next 14th bit, the front 4 bit, which is the high 4 bit, represents the version number, followed by the 4 bit to indicate the length of the packet header. This length has a formula, and the actual length is multiplied by the number 4. 15-bit is the service type, 16, 172 bits represent the total length of the packet header, the total length is the length of the packet obtained with WinPcap minus 14. Minus 14, which is the packet header above, is not counted in the packet length.

Then 18, 19 bits are id,20, 21 are flags and offset,22 are TTL. 23 is useful, which is the protocol package type, which means that the packet is TCP or UDP or IGMP, and so on. 24, 252 bits is "The header of the packet CRC Code", it is calculated from the 15-bit packet header length of the number of data CRC. The specific calculation method is easy to find on the Internet, but it is often wrong. I'll say it again here.

At the time of calculation, the result is cumulative with 32-bit shaping. The data is two-bit two-bit, the first is high, the second is low, and a 16-bit integer is added. If the length is odd, that ... Rest assured, because the previous said, the length to be multiplied by 4, so it must be even, hehe.
The code is as follows:
Long sum = 0;
for (int i = 0;i < headlen;i+=2)
{
sum+= (Data[i + 14]<<8) + data[i+15];
}

Then add the sum of 16 digits to the lower 16 digits.
The code is as follows:
sum = (sum>>16) + (SUM&AMP;0XFFFF);
Finally, add 16 to the lower 16, mainly to prevent the previous step of the carry, resulting in sum more than 0xFFFF.
The code is as follows:
sum+= (SUM&GT;&GT;16);
CRC detection is now available with the following code:
if (short) (~sum) = = 0)
return true;
else return false;
Just a little bit more, let's continue to say the meaning of the other bits.
26, 27, 28, 29 represent the source IP address, 4 bits represent the 4 segment of the IP address, respectively. 30, 31, 32, 33 represent the destination IP address. In the future, if the Baotou section is not finished, then the content of option. But it seems that such packets seem rare. Maybe I'm wrong, and I want you to point it out.

For the sake of convenience, I assume that there is no option in the following. In fact, if not, the length of the head is fixed to 20, there is no need to mark the length of the head.

Just said that the CRC calculation, is up to here.

This time it's all written. The next time TCP and UDP to say it out (in fact, I only resolved the two Protocols, hehe.) ）