Shulou(Shulou.com)06/01 Report--

Download libpcap source from www.tcpdump.org here

Download libpcap for win32 fromwww.winpcap.org

Check out a better pcap tutorial here

Front matter: This is a slightly modified and extended version of my older pcap tutorial. Revisiting this work five years later, I am necessarily dumber (age and beer) yet hopefully somewhat more knowledgeable. Contact information has changed, please send your hate-mail to casado at cs.stanford.edu.

Contents

Intro (You are already here)

Capturing our First Packet

Writing a Basic Packet Capturing Engine

Analyzing packets. (in progress)

Who this is for: This tutorial assumes a cursory knowledge in networks; what a packet is, Ethernet vs. IP vs. TCP vs. UDP etc. If these concepts are foreign I highly suggest you invest in a good (e.g. Probably can't find at Best Buy) networking book. My favorites are:

Computer Networking: a Top-Down Approach Featuring the Internet (3rd Edition) by James F. Kurose, Keith W. Ross

UNIX Network Programming by W. Richard Stevens

The Protocols (TCP/IP Illustrated, Volume 1) by W. Richard Stevens

This tutorial does not assume any previous knowledge in network programming, just a basic familiarity with c. If you already are a pcap + master, then you might as well just man 3. You should have a working c compiler on your system and libpcap installed. All source in this section was written and tested on linux, kernel 2.2.14, while it should be mostly portable (hehe) I can't guarantee that it will compile or run on other operating systems. You are going to want to run as root so be careful and be sure not to break your box in the meantime. Oh, and though I have tested and run all the code presented in this tutorial with no problems, I am NOT responsible if your shit breaks and has to be quarantined by the health department... Aka play at your own risk....

Hcn# gcc ldev.c-lpcap

/ * ldev.c compilation instruction > gcc ldev.c-lpcap queries the network card, showing the network address and subnet mask associated with the network card * / # include # include # include / * GIMME a libpcap plz! * / # include # include int main (int argc, char * * argv) {char * dev; / * network card name * / char * net; / * Network address identified by the dot * / char * mask / * return ID * / int ret; / * return ID * / char errbuf [PCAP _ ERRBUF_SIZE]; / * error message * / bpf_u_int32 netp; / * Network address * / bpf_u_int32 maskp; / * Subnet Mask * / struct in_addr addr / * use pcap to find an available network card for sniffing * / dev = pcap_lookupdev (errbuf); / * detect whether an available network card is found * / if (dev = = NULL) {printf ("% s\ n", errbuf); exit (1);} / * print the name of the network card * / printf ("DEV:% s\ n", dev) / * query the network address and subnet mask of the network card through pcap * / ret = pcap_lookupnet (dev,&netp,&maskp,errbuf); / * check whether no operation is successful * / if (ret = =-1) {printf ("% s\ n", errbuf); exit (1);} / * convert the network address from the network format to the human-readable format * / addr.s_addr = netp; net = inet_ntoa (addr) / * detect whether the conversion is successful * / if (net = = NULL) {perror ("inet_ntoa"); exit (1);} / * print the network address * / printf ("NET:% s\ n", net); / * change the subnet mask address from network format to human-readable format * / addr.s_addr = maskp; mask = inet_ntoa (addr) If (mask = = NULL) {perror ("inet_ntoa"); exit (1);} / * print subnet mask * / printf ("MASK:% s\ n", mask); return 0;}

If the compilation and execution are correct, the console will display the following information:

DEV: eth0

NET: 192.168.12.0

MASK: 255.255.255.0

The value for DEV is your default interface name (likely eth0 on linux, could be eri0 on solaris). The NET and MASK values are your primary interface's subnet and subnet mask. Don't know what those are? Might want to read this.

"So what did we just do?" you ask. Well, we just asked libpcap to give us some specs on an interface to listen on.

"Whats an interface?"

Just think of an interface as your computers hardware connection to whatever network your computer is connected to. On Linux, eth0 denotes the first Ethernet card in your computer. (btw you can list all of your interfaces using the ifconfig command).

OK at this point we can compile a pcap program that essentially does nothing. On to grabbing our first packet...

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.