Uses libpcap to capture QQ number information and libpcap to capture QQ number

Uses libpcap to capture QQ number information and libpcap to capture QQ number

Recently, I want to record the QQ number information when logging on to QQ. Many Baidu websites have not found a specific method. Recently, I used Wireshark to analyze packets + libpcap library sniffing to implement this small function.

 

Background:

The QQ client uses UDP protocol for communication. The data message is UDP protocol, and the control message is OICQ protocol (an encapsulation of UDP protocol ), the Control Message command is as follows (in parentheses, it refers to the decimal representation of the binary code corresponding to the command in the OICQ message ):

"Log out (1)", "Heart Message (2)", "Set status (13)", "Receive message (23)", "Request KEY (29 )", // "Get friend online (39)", "Group name operation (60)", "MEMO Operation (62)", "Download group friend (88 )", "Get level (92)", "Request login (98)", // "Request extra information (101)", "Signature operation (103 )", "Get status of friend (129)", "Get friend's status of group (181 )",

The port used by the QQ client is 4000, and the server port is 8000. When multiple QQ clients exist, the port numbers are accumulated from 4000 in turn.

 

Packet Analysis:

In Windows, Wireshark is used to capture packets. during login and operation, QQ sends UDP and OICQ packets to the server. Here, we assume that less than 100 QQ numbers are logged on to the server. The defined filter is as follows:

From the oicq filter, it is found that 49th of packets containing QQ numbers can be hit, and ~ 52 bytes, expressed in 4-byte unsigned integer. However, the libpcap filter only supports udp filtering, so the following filter is used to filter and test:

It is found that there are clear QQ number information in the same location of the udp data packet, so the capture condition is confirmed (udp. srcport <4100 is used to avoid interference with some non-compliant message information ).

 

Debug code:

The runtime environment is Linux. libpcap must be installed and the connection is "-lpcap.

Header file:

1 # ifndef _ SNIFFER_H _ 2 # define _ SNIFFER_H _ 3 4 # include <pcap. h> 5 # include <stdio. h> 6 # include <string. h> 7 # include <stdlib. h> 8 # include <ctype. h> 9 # include <errno. h> 10 # include <sys/types. h> 11 # include <sys/socket. h> 12 # include <netinet/in. h> 13 # include <arpa/inet. h> 14 # include <time. h> 15 16/* Ethernet frame header */17 # define ETHER_ADDR_LEN 618 19 struct sniff_ethernet {20 u_char ether_dhost [ETHER_ADDR_LEN]; /* destination host address */21 u_char ether_shost [ETHER_ADDR_LEN];/* source host address */22 u_short ether_type; 23 }; 24 25/* IP packet header */26 struct sniff_ip {27 # if BYTE_ORDER = LITTLE_ENDIAN28 u_int ip_hl: 4,/* Header Length */29 ip_v: 4; /* version */30 # if BYTE_ORDER = BIG_ENDIAN31 u_int ip_v: 4,/* version */32 ip_hl: 4; /* Header Length */33 # endif34 # endif/* not _ IP_VHL */35 u_char ip_tos;/* service type */36 u_short ip_len; /* total length */37 u_short ip_id;/* package ID */38 u_short ip_off; /* fragment Offset */39 # define IP_RF 0x8000/* Reserved fragment flag */40 # define IP_DF 0x4000/* dont fragment flag */41 # define IP_MF 0 x 2000/* multi-fragment flag */42 # define IP_OFFMASK 0x1fff/* segment bit */43 u_char ip_ttl; /* data packet survival time */44 u_char ip_p;/* The protocol used */45 u_short ip_sum;/* checksum */46 struct in_addr ip_src, ip_dst; /* Source Address, Destination Address */47}; 48 49/* Header of the TCP packet */50 typedef u_int tcp_seq; 51 52 struct sniff_tcp {53 u_short th_sport; /* Source Port */54 u_short th_dport;/* destination port */55 tcp_seq th_seq;/* Package number */56 tcp_seq th_ack; /* confirm the serial number */57 # if BYTE_ORDER = LITTLE_ENDIAN58 u_int th_x2: 4,/* No use of */59 th_off: 4; /* Data offset */60 # endif61 # if BYTE_ORDER = BIG_ENDIAN62 u_int th_off: 4,/* Data offset */63 th_x2: 4; /* not used */64 # endif65 u_char th_flags; 66 # define TH_FIN 0x0167 # define TH_SYN 0x0268 # define TH_RST 0x0469 # define TH_PUSH 0x0870 # define TH_ACK 0x1071 # define TH_URG 0x2072 # define TH_ECE 0x4073 # define TH_CWR 0x8074 # define TH_FLAGS (TH_FINTH_SYNTH_RSTTH_ACKTH_URGTH_ECETH_CWR) 75 u_short th_win;/* TCP sliding window */76 u_short th_sum;/* Header checksum */77 u_short th_urp;/* Emergency Service bit */78 }; 79 80 81 # endif/* _ SNIFFER_H __*/

Source code:

1 # include "sniffer. h "2 3 void getPacket (u_char * arg, const struct pcap_pkthdr * pkthdr, const u_char * packet) 4 {5 static int id = 0; 6 const struct sniff_ethernet * ethernet; /* Ethernet frame header */7 const struct sniff_ip * ip;/* ip packet header */8 const struct sniff_tcp * tcp;/* TCP packet header */9 const char * payload; /* packet payload */10 11 int size_ethernet = sizeof (struct sniff_ethernet); 12 int size_ip = sizeof (struct snif F_ip); 13 int size_tcp = sizeof (struct sniff_tcp); 14 15 ethernet = (struct sniff_ethernet *) (packet); 16 ip = (struct sniff_ip *) (packet + size_ethernet ); 17 tcp = (struct sniff_tcp *) (packet + size_ethernet + size_ip); 18 payload = (u_char *) (packet + size_ethernet + size_ip + size_tcp ); 19 20 int sport = ntohs (tcp-> th_sport); 21 int dport = ntohs (tcp-> th_dport); 22 23 // for QQ24 if (dport! = 8000 | sport> 4100) 25 {26 return; 27} 28 printf ("packet: % d \ n", ++ id); 29 printf ("% s: % d-> ", inet_ntoa (ip-> ip_src), sport); 30 printf (" % s: % d \ n ", inet_ntoa (ip-> ip_dst ), dport); 31 printf ("QQ: % d \ n ", packet [49] * 16*16*16*16*16*16 + 32 packet [50] * 16*16*16*16 + 33 packet [51] * 16*16 + 34 packet [52]); 35 36/* for test37 int I; 38 for (I = 0; I <pkthdr-> len; ++ I) 39 {40 printf ("% 02x ", packet [I]); 41 if (I + 1) % 1 6 = 0) 42 {43 printf ("\ n"); 44} 45 if (I + 1) % 8 = 0) 46 {47 printf (""); 48} 49} */50 51 printf ("\ n"); 52} 53 54 int main (int argc, char ** argv) 55 {56 pcap_t * devic = NULL; 57 char * devStr = NULL; 58 char errBuf [PCAP_ERRBUF_SIZE] = ""; 59 char * filter_rule = "dst port 8000 "; 60 struct bpf_program filter; 61 62 devStr = pcap_lookupdev (errBuf); 63 if (! DevStr) 64 {65 printf ("Error: % s \ n", errBuf); 66 return-1; 67} 68 printf ("Success: % s \ n ", devStr); 69 70 devic = pcap_open_live (devStr, 65535, 1, 0, errBuf); 71 if (! Devic) 72 {73 printf ("Error: % s \ n", errBuf); 74 return-1; 75} 76 77 pcap_compile (devic, & filter, filter_rule, 1, 0); 78 pcap_setfilter (devic, & filter); 79 80 pcap_loop (devic,-1, getPacket, NULL); 81 82 pcap_close (devic); 83 84 return 0; 85} 86

Test results:

　　

Note:

During the test, we found that, in rare cases, in the OICQ protocol, packets containing "MEMO Operation (62)" may have another phone number that is not the QQ test. The reason is unknown... I forgot to record it at that time. I haven't shown it several times recently, and I have no picture.