WinPcap編程實質上就是對各種函數的熟悉和調用,因此本節對前面稍微做一下小結,對所用到的函數及數據類型進行歸納和總結,一是為了回顧所掌握的知識,二是加深印象,便於后面更好地學習。
常用函數和結構體
1. pcap_if_t結構體,表示適配器列表中的一項
/*
* Item in a list of interfaces.
*/
struct pcap_if {
struct pcap_if *next;
char *name; /* name to hand to "pcap_open_live()" */
char *description; /* textual description of interface, or NULL */
struct pcap_addr *addresses;
bpf_u_int32 flags; /* PCAP_IF_ interface flags */
};
typedef struct pcap_if pcap_if_t;
2. pcap_findalldevs_ex() 獲取適配器列表,返回0表示正常,-1表示出錯
int pcap_findalldevs_ex(char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf);
3. pcap_freealldevs() 釋放適配器鏈表空間
void pcap_freealldevs(pcap_if_t *);
4. pcap_addr_t結構體,接口地址的表示形式
/*
* Representation of an interface address.
*/
struct pcap_addr {
struct pcap_addr *next;
struct sockaddr *addr; /* address */
struct sockaddr *netmask; /* netmask for that address */
struct sockaddr *broadaddr; /* broadcast address for that address */
struct sockaddr *dstaddr; /* P2P destination address for that address */
};
typedef struct pcap_addr pcap_addr_t;
5. sockaddr_in結構體,接口地址的表示形式
struct sockaddr_in {
short sin_family; //協議族
u_short sin_port; //協議端口
struct in_addr sin_addr; //
char sin_zero[8];
};
struct sockaddr {
u_short sa_family;
char sa_data[14];
}; //通用的socket地址
struct in_addr {
union {
struct { u_char s_b1,s_b2,s_b3,s_b4; } S_un_b;
struct { u_short s_w1,s_w2; } S_un_w;
u_long S_addr;
} S_un;
#define s_addr S_un.S_addr
#define s_host S_un.S_un_b.s_b2
#define s_net S_un.S_un_b.s_b1
#define s_imp S_un.S_un_w.s_w2
#define s_impno S_un.S_un_b.s_b4
#define s_lh S_un.S_un_b.s_b3
};
如上所示,上面定義了三種結構體:sockaddr_in、sockaddr和in_addr。簡單說一下這三個結構體,sockaddr是通用的socket地址,而sockaddr_in是具體到internet的socket地址,兩者之間可以進行類型轉換。而in_addr結構體就是32位IP地址。因為這些其實都是socket編程中的知識,所以只是稍微提一下,感興趣的可以細心研究一下。
6. pcap_open() 打開適配器
pcap_t *pcap_open(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf);
7. pcap_loop() 捕獲數據包,其中pcap_handler為回調函數指針
int pcap_loop ( pcap_t * p,
int cnt,
pcap_handler callback,
u_char * user
)
typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,
const u_char *);
8. pcap_next_ex() 直接獲得一個數據包,非回調方法; pcap_pkthdr結構體表示dump文件中數據包首部
int pcap_next_ex ( pcap_t * p,
struct pcap_pkthdr ** pkt_header,
const u_char ** pkt_data
)
/*
* Generic per-packet information, as supplied by libpcap.
*
* The time stamp can and should be a "struct timeval", regardless of
* whether your system supports 32-bit tv_sec in "struct timeval",
* 64-bit tv_sec in "struct timeval", or both if it supports both 32-bit
* and 64-bit applications. The on-disk format of savefiles uses 32-bit
* tv_sec (and tv_usec); this structure is irrelevant to that. 32-bit
* and 64-bit versions of libpcap, even if they're on the same platform,
* should supply the appropriate version of "struct timeval", even if
* that's not what the underlying packet capture mechanism supplies.
*/
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
struct timeval {
long tv_sec;
long tv_usec;
};
9. pcap_compile() 編譯數據包過濾器,將程序中高級的過濾表達式,轉換成能被內核級的過濾引擎所處理的東西。
對於bpf_program結構體我們只需要知道它是pcap_compile()最終要得到用來過濾的東西。
int pcap_compile(pcap_t *, struct bpf_program *, const char *, int,
bpf_u_int32);
/*
* Structure for "pcap_compile()", "pcap_setfilter()", etc..
*/
struct bpf_program {
u_int bf_len;
struct bpf_insn *bf_insns;
};
/*
* The instruction data structure.
*/
struct bpf_insn {
u_short code;
u_char jt;
u_char jf;
bpf_u_int32 k;
};
10. pcap_setfilter() 在捕獲過程中綁定一個過濾器。
至於pcap結構體,它是一個已打開的捕捉實例的描述符。這個結構體對用戶來說是不透明的,它通過wpcap.dll提供的函數,維護了它的內容。
int pcap_setfilter(pcap_t *, struct bpf_program *);
typedef struct pcap pcap_t;
11. pcap_datalink() 返回適配器的鏈路層
int pcap_datalink(pcap_t *);
12. pcap_dump_open() 打開一個文件來寫入數據包;而pcap_dumper結構體表示libpcap存儲文件的描述符
pcap_dumper_t *pcap_dump_open(pcap_t *, const char *);
typedef struct pcap_dumper pcap_dumper_t;
13. pcap_dump() 將數據包保存到磁盤
void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);
14. pcap_createsrcstr() 接收一組字符串(hot name,port,...),並根據新的格式,返回一個完整的源字符串(比如:'rpcap://1.2.3.4/eth0')
int pcap_createsrcstr(char *source, int type, const char *host, const char *port, const char *name, char *errbuf);
15. pcap_live_dump() 將捕獲保存到文件,它和pcap_dump()之間的區別在“處理脫機dump文件(下)”中有說明
int pcap_live_dump(pcap_t *p, char *filename, int maxsize, int maxpacks);
16. pcap_sendpacket() 發送raw數據包
int pcap_sendpacket(pcap_t *, const u_char *, int);
17. pcap_sendqueue_alloc() 創建發送隊列
pcap_sendqueue_queue() 向隊列加入要發送的數據包
pcap_sendqueue_transmit() 發送數據隊列
pcap_sendqueue_destroy() 釋放數據隊列
pcap_send_queue* pcap_sendqueue_alloc(u_int memsize);
int pcap_sendqueue_queue(pcap_send_queue* queue, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data);
u_int pcap_sendqueue_transmit(pcap_t *p, pcap_send_queue* queue, int sync);
void pcap_sendqueue_destroy(pcap_send_queue* queue);
18. pcap_send_queue結構體,發送數據報隊列的數據結構
/*!
\brief A queue of raw packets that will be sent to the network with pcap_sendqueue_transmit().
*/
struct pcap_send_queue
{
u_int maxlen; ///< Maximum size of the the queue, in bytes. This variable contains the size of the buffer field.
u_int len; ///< Current size of the queue, in bytes.
char *buffer; ///< Buffer containing the packets to be sent.
};
typedef struct pcap_send_queue pcap_send_queue;
19. pcap_setmode() 設置適配器工作模式
int pcap_setmode(pcap_t *p, int mode);
常用字段含義
PCAP_ERRBUF_SIZE libpcap錯誤信息緩沖的大小,值為256
PCAP_BUF_SIZE 最大緩沖大小,值為1024
PCAP_SRC_IF_STRING rpcap源字符串格式,值為“rpcap://”
PCAP_IF_LOOPBACK 用來判斷回環地址,值為0x00000001
PCAP_OPENFLAG_PROMISCUOUS 混雜模式,值為1
DLT_EN10MB 鏈路層為以太網