-
Download libpcap source from www.tcpdump.org
here -
Download libpcap for win32 fromwww.winpcap.org
-
Check out a better pcap tutorial
here
Front matter: This is a slightly modified and extended version
of my older pcap tutorial. Revisiting this work five years later, I am
necessarily dumber (age and beer) yet hopefully somewhat more
knowledgeable. Contact information has changed, please send your
hate-mail to casado at cs.stanford.edu.
Contents
-
Intro (You are already here)
-
Capturing our First Packet
-
Writing a Basic Packet Capturing Engine
-
Analyzing packets..... (in progress)
Who this is for: This tutorial assumes a cursory
knowledge in networks; what a packet is, Ethernet vs. IP vs.
TCP vs. UDP etc. If these concepts are foreign I highly suggest
you invest in a good (e.g. probably can't find at Best Buy)
networking book. My favorites are:
-
Computer Networking : A Top-Down Approach Featuring the Internet
(3rd Edition) by James F. Kurose, Keith W. Ross -
UNIX Network Programming by W. Richard Stevens
-
The Protocols (TCP/IP Illustrated, Volume 1) by W. Richard Stevens
This tutorial does not assume any previous knowledge in network
programming, just a basic familiarity with c. If you already are a
c/c++ master, then you might as well just man 3 pcap. You should
have a working c compiler on your system and libpcap installed. All
source in this section was written and tested on linux, kernel 2.2.14,
while it should be mostly portable (hehe) I can't guarantee that it will
compile or run on other operating systems. You are going to want to run
as root so be careful and be sure not to break your box in the meantime.
Oh, and though I have tested and run all the code presented in this
tutorial with no problems, I am NOT responsible if your shit breaks and
has to be quarantined by the health department... aka play at your own
risk....
hcn# gcc ldev.c -lpcap
/* ldev.c
编译指令
>gcc ldev.c -lpcap
查询网卡, 展示与该网卡相关的网络地址和子网掩码
*/
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h> /* GIMME a libpcap plz! */
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(int argc, char **argv)
{
char *dev; /* 网卡名称 */
char *net; /* 用点标识的网络地址 */
char *mask;/* 用点标识的子网掩码 */
int ret; /* 返回标识 */
char errbuf[PCAP_ERRBUF_SIZE]; /* 错误信息 */
bpf_u_int32 netp; /* 网络地址 */
bpf_u_int32 maskp; /* 子网掩码 */
struct in_addr addr;
/* 通过pcap去发现一个可用的网卡用于嗅探 */
dev = pcap_lookupdev(errbuf);
/* 检测是否找到可用网卡 */
if(dev == NULL)
{
printf("%s\n",errbuf);
exit(1);
}
/* 打印网卡名称 */
printf("DEV: %s\n",dev);
/* 通过pcap查询网卡的网络地址和子网掩码*/
ret = pcap_lookupnet(dev,&netp,&maskp,errbuf);
/* 检测上不操作是否成功 */
if(ret == -1)
{
printf("%s\n",errbuf);
exit(1);
}
/* 将网络地址从网络格式转化为人可读格式*/
addr.s_addr = netp;
net = inet_ntoa(addr);
/* 检测转化是否成功 */
if(net == NULL)
{
perror("inet_ntoa");
exit(1);
}
/* 打印网络地址*/
printf("NET: %s\n",net);
/* 将子网掩码地址从网络格式转为人可读格式*/
addr.s_addr = maskp;
mask = inet_ntoa(addr);
if(mask == NULL)
{
perror("inet_ntoa");
exit(1);
}
/* 打印子网掩码*/
printf("MASK: %s\n",mask);
return 0;
}
加入编译和执行正确,控制台将显示如下信息:
DEV: eth0
NET: 192.168.12.0
MASK: 255.255.255.0
The value for DEV is your default interface name (likely eth0 on linux,
could be eri0 on solaris). The NET and MASK values are your primary interface's
subnet and subnet mask. Don't know what those are? Might want to read
this.
"So what did we just do?", you ask. Well, we just asked libpcap
to give us some specs on an interface to listen on.
"Whats an interface?"
Just think of an interface as your computers hardware connection to
whatever network your computer is connected to. On Linux, eth0 denotes
the first Ethernet card in your computer. (btw you can list all of your
interfaces using the ifconfig command).
OK at this point we can compile a pcap program that essentially does
nothing. On to grabbing our first packet ...
