Yesterday saw the most important part of analyzing the packet.
This process of analyzing UDP is basically readable in front of it, and it is mainly a part of the analysis of the message.
The figure found in the blog, for this process, in turn, is: Application layer data, encapsulated into UDP or TCP messages, coupled with the IP header, and then with the Ethernet header, it becomes a data frame can be propagated at the link layer.
The Ethernet driver first determines the payload (payload) of the data frame based on the upper-layer protocol field in the Ethernet header, which is the datagram for IP, ARP, or Rarp protocol, and is then handed to the appropriate protocol processing. In the case of an IP datagram, the IP protocol then determines whether the payload of the datagram is TCP, UDP, ICMP, or IGMP, based on the upper layer protocol field in the IP header, and is then handed over to the appropriate protocol processing. In the case of a TCP or UDP segment, the TCP or UDP protocol then determines which user process the application-tier data should be given to, based on the TCP header or UDP header's port number field. An IP address is an address that identifies a different host on the network, and the port number is the address on the same host that identifies a different process, and the IP address and port number together identify the only process in the network.
Although IP, ARP, and RARP datagrams require an Ethernet driver to encapsulate the frames, the functions are divided, arp and rarp belong to the link layer, and IP belongs to the network layer. Although the ICMP, IGMP, TCP, UDP data all need the IP protocol to encapsulate the datagram, but functionally, ICMP, IGMP and IP belong to the network layer, TCP and UDP belong to the transport layer.
So this program captures the data frame of the link layer first:
And look at the structure of the Ethernet frame.
Ethernet header is 14 bytes, 14 bytes after the part for the IP datagram, let this IP header pointer ih point to the IP datagram header
Look at the IP header structure again
According to the Ip_header structure definition, VER_IHL is the 4-bit version number + 4-bit head of the ministerial degree, now to obtain the IP message of the first ministerial degree ip_len, and then with the IH plus this length to get the UDP packet header. So simply use this byte and 0xf phase, and get a low 4 bit (note is low 4 bits, not high 4 bits) of the first ministerial degree.
This involves the size of the end of the problem, the Intel machine is generally small-end storage, so the need for byte sequence conversion
When you write a network program in C + +, you often encounter the network order of bytes and the host order problem. It is possible to use the 4 functions of htons (), Ntohl (), Ntohs (), htons ().
The conversion function between the network byte order and the local byte order:
HTONL ()--"Host to Network Long"
Ntohl ()--"Network to Host Long"
Htons ()--"Host to Network short"
Ntohs ()--"Network to Host short"
These functions are required because computer data indicates that there are two byte orders: Nbo and HBO
Network byte order Nbo: Store in order from high to low, and use uniform network byte order on the network to avoid compatibility issues.
Host byte sequence (hbo,host byte order): Different machine HBO is not the same, related to CPU design, the order of data is determined by the CPU, and operating system independent.
such as the Intel x86 structure, the short type number 0x1234 is expressed as a decimal, the int type number 0x12345678 is expressed as 78 56 34 12
such as the IBM Power PC structure, the short type number 0x1234 is expressed as a 0x12345678, the int number is represented as 12 34 56 78
For this reason there is no communication between machines of different architectures, so converting to a contract sequence, that is, the network byte order, is actually the same order as the Power PC. In PC development, there are ntohl and HTONL functions that can be used to convert network bytes and host bytes.
To sport = Ntohs (uh->sport); Try this one step at a pace,
After processing by the Ntohs () function, the value 44366 becomes 20141
Converted to 16, it is true that the high and low bytes are converted, that is, in the network byte order, from highest to lowest storage, ad is high byte, 4E is low byte, and in the Intel machine, with small end storage, so should be expressed as 4EAD (from low to high storage).
Finally, the print IP address and UDP port.
This app is still very simple, and now I need to modify it on the basis of this program to apply to the requirements of the BI set.
"Graduate Design Diary-April" PCAP Programming analysis Packet