http://blog.csdn.net/haolipengzhanshen/article/details/51854853
1.了解下pcap文件的结构
2.定义pcap文件头部结构体pcapFileHeader_t,
定义pcap数据包头部结构体pcapPkthdr_t
3.代码实现
base_type.h
#ifndef BASE_TYPE_H #define BASE_TYPE_H typedef unsigned char uchar8_t; typedef char char8_t; typedef unsigned short uint16_t; typedef short int16_t; typedef unsigned int uint32_t; typedef int int32_t; typedef unsigned long ulong64_t; typedef long long64_t; const uint32_t MAX_MTU = 1500; //设置最大MTU为1500 const int ETHER_DATA_MIN_SIZE = 28; //IP头长度 + UDP 长度 const int HTTP_PORT_NUMBER = 80; //默认HTTP端口号 #endif- 1
pcap.h
#ifndef PCAP_H #define PCAP_H #include "base_type.h" #include <queue> #include <fstream> #include <iostream> using namespace std; #define PCAP_FILE_MAGIC_1 0Xd4 #define PCAP_FILE_MAGIC_2 0Xc3 #define PCAP_FILE_MAGIC_3 0Xb2 #define PCAP_FILE_MAGIC_4 0Xa1 /*pcap file header*/ typedef struct pcapFileHeader { uchar8_t magic[4]; uint16_t version_major; uint16_t version_minor; int32_t thiszone; /*时区修正*/ uint32_t sigfigs; /*精确时间戳*/ uint32_t snaplen; /*抓包最大长度*/ uint32_t linktype; /*链路类型*/ } pcapFileHeader_t; /*pcap packet header*/ typedef struct pcapPkthdr { uint32_t seconds; /*秒数*/ uint32_t u_seconds; /*毫秒数*/ uint32_t caplen; /*数据包长度*/ uint32_t len; /*文件数据包长度*/ } pcapPkthdr_t; class Pcap { public: Pcap(const char* fileName); ~Pcap(); void parsePcapFile(queue<string>& rawQueue); private: ifstream fileHandler; const char* fileName; }; #endif1
- 2
pcap类只有一个parsePcapFile接口,fileName记录pcap文件的名称
pcap.cpp
#include "pcap.h" Pcap::Pcap(const char* fileName) { this->fileName = fileName; } void Pcap::parsePcapFile(queue<string>& rawQueue) { pcapFileHeader_t pcapFileHeader = {0}; pcapPkthdr_t packetHeader = {0}; fileHandler.open(fileName); if (!fileHandler) { cout << "The file does not exits or file name is error" << endl; return; } //读取pcap文件头部长度 fileHandler.read((char8_t*)&pcapFileHeader, sizeof(pcapFileHeader)); if (pcapFileHeader.magic[0] != PCAP_FILE_MAGIC_1 || pcapFileHeader.magic[1] != PCAP_FILE_MAGIC_2 || pcapFileHeader.magic[2] != PCAP_FILE_MAGIC_3 || pcapFileHeader.magic[3] != PCAP_FILE_MAGIC_4) { cout << "The file is not a pcap file" << endl; return; } while (fileHandler.read((char8_t*)&packetHeader, sizeof(packetHeader))) { uint32_t len = packetHeader.caplen; // if (packetHeader.caplen != packetHeader.len) { //cout << "It is a invalid packet" << endl; //fileHandler.seekg(packetHeader.caplen, ios::cur); //continue; } char8_t *buf = new char8_t[len]; if (NULL == buf) { return; } fileHandler.read(buf, len); string temp(buf, len); rawQueue.push(temp); delete buf; } } Pcap::~Pcap() { fileHandler.close(); }- 1
其实Linux平台下的libpcap库也能处理pcap的离线文件,比如tcpflow的C++版本的-r参数就是处理pcap离线文件的
待时间充裕玩玩看看,分析出来个思路来.