Shulou(Shulou.com)06/01 Report--

In this issue, Xiaobian will bring you about how to write network capture program code under Linux. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

UNIX-like operating systems provide three different ways to access the data link layer: BSD Packet Filter (BPF), SVR4 Data Link Provider Interface (DLPI), and Linux SOCK_PACKET interface. Fortunately, programmers don't need to know the details of these different interfaces, just use the Libpcap library.

Libpcap is an open source library that provides a high-level interface to network packet capture systems. Its role is to provide a platform-independent application program interface to eliminate packet-capture code modules included in programs for different operating systems. In this way, the problem of program portability is solved, which is beneficial to improve the efficiency of development.

Libpcap runs on most UNIX-like operating systems, and the complete documentation and source code can be obtained from tcpdump's official website: http://www.tcpdump.org and its Windows version Winpcap is available from http://www. winpcap. org. Here's how to use Libpcap to capture packets

char *pcap_lookupdev(char *errbuf);

Function: Find default devices for capturing packets

errbuf: Save error messages when errors occur

Return value: device name if successful; NULL if error

pcap_t *pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf);

Function: Turn on network devices used to capture packets

device: device name

snaplen: Maximum number of bytes of packets to capture

prosmic: network device operating mode (0 indicates non-promiscuous mode, other values indicate promiscuous mode)

to_ms: Time to wait before copying data from kernel space

err_buf: Save error messages when errors occur

Return value: interface descriptor (handle) of type pcap_t is returned when successful; NULL is returned when error occurs.

const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h);

Function: Capture the next packet

p: interface descriptor

h: information about captured packets

Return value: pointer to captured data on success; NULL on error

typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes);

const u_char *pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user);

Function: Capture the next packet

cnt: Number of packets to capture

callback: callback function executed when the packet is captured

user: parameter passed to callback function

Return value: 0 on success;-1 on error

int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask);

Function: Create filters

p: interface descriptor

fp: pointer to the struct holding the filter

str: filter rule to be converted

optimize: whether the filter is to be optimized

netmask: netmask

Return value: 0 on success;-1 on error

int pcap_setfilter(pcap_t *p, struct bpf_program *fp);

Function: Install filter

p: interface descriptor

fp: pointer to the struct containing the filter

Return value: 0 on success;-1 on error

The following example code captures and displays three ARP packets

The code is as follows:

#include

#include

#include

#include

#define MAXBYTES2CAPTURE 2048

void ProcessPacket(u_char *arg, const struct pcap_pkthdr *pkthdr, const u_char *packet)

{

int i = 0, *counter = (int *)arg;

printf("Packet Count : %d\n", ++(*counter));

printf("Received Packet Size: %d\n", pkthdr->len);

printf("Payload:\n");

for (i=0; ilen; i++)

{

printf("x ", (unsigned int)packet[i]);

if ( (i = = 15 && i != 0) || (i = = pkthdr->len -1))

{

printf("\n");

}

}

printf("\n\n************************************************\n");

return;

}

int main(int argc, char *argv[])

{

int i = 0, count = 0;

pcap_t *descr = NULL;

char errbuf[PCAP_ERRBUF_SIZE], *device = NULL;

bpf_u_int32 netaddr = 0, mask = 0;

struct bpf_program filter;

memset(errbuf, 0, sizeof(errbuf));

if (argc != 2)

{

device = pcap_lookupdev(errbuf);

}

else

{

device = argv[1];

}

printf("Try to open device %s\n", device);

if((descr = pcap_open_live(device, MAXBYTES2CAPTURE, 1, 0, errbuf)) = =NULL)

{

printf("error : %s\n", errbuf);

exit(-1);

}

pcap_lookupnet(device, &netaddr, &mask, errbuf);

if (pcap_compile(descr, &filter, "arp and ether host 00:0c:29:b7:f6:33",0, mask) < 0)

{

printf("pcap_compile error\n");

exit(-1);

}

pcap_setfilter(descr, &filter);

pcap_loop(descr, 3, ProcessPacket, (u_char *)&count);

return 0;

}

The above is how to write network capture program code under Linux shared by Xiaobian. If you happen to have similar doubts, you may wish to refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.