当前位置：网站首页>Network development kit Libpcap

Network development kit Libpcap

2022-07-22 03:05:00 【Amos_ zh】

Libpcap Main role of

Capture various packets : for example , Network traffic statistics .
Filter network packets : for example , Filter out some local data , It's like a firewall
Analyze network packets : for example , Analyze network protocol , Data collection
Storage network packets : for example , Save the captured data for future analysis

Libpcap Installation

sudo apt-get install libpcap-dev

You need to add pcap.h The header file
Compile with -lpcap

utilize libpcap The basic steps of developing application with function library ：

Turn on the network device
Set filtering rules （ Optional ）
Capture data
Turn off the network device

Common functions for capturing network packets

pcap_lookupdev( ) Look at the device name （ Optional ）
pcap_open_live( ) Turn on the device
pcap_lookupnet( ) Acquired devices IP（ Optional ）
pcap_compile( )、 pcap_setfilter( ) Set filtering rules （ Optional ）
pcap_next( ) Call to capture one message at a time
pcap_loop( ) Call once Keep capturing messages
pcap_open_live( ) Turn on the device , Get the handle of the device
pcap_close( ) Closing handle

Common functions for capturing network packets ( detailed )

1. Turn on the device , Get the handle of the device pcap_open_live()

pcap_t *pcap_open_live(const char *device,int snaplen,int promisc,int to_ms,char *ebuf)
 function ：
	 Open a network interface for capturing data 
 Return value ：
	 Return to one Libpcap Handle 
 Parameters ：
	device： The name of the network interface 
	snaplen： The length of the capture packet 
	promise：1 Represents a hybrid pattern , Other non hybrid models 
	to_ms： Waiting time 
	ebuf： Store error messages

2. Closing handle pcap_close()

void pcap_close(pcap_t *p)
 function ：
     close Libpcap operation , And destroy the corresponding resources 
 Parameters 
   p: Need to be closed Libpcap Handle 
 Return value ：
     nothing

3. Accept message function pcap_next() Call to accept one message at a time

const u_char *pcap_next(pcap_t *p,struct pcap_pkthdr *h)
 function ：
	 Capture a network packet 
 Parameters ：
    p：Libpcap Handle 
    h： Data packet head 
 Return value ：
     The address of the captured packet

struct pcap_pkthdr Structure information ： Record the time of receiving data and the length of the message

struct pcap_pkthdr {
    
	struct timeval ts; //  Time 
	bpf_u_int32 caplen; // Partial package length ( Basic and len equally )
	bpf_u_int32 len; //  Length of package 
}

4. Receive network data circularly pcap_loop

int pcap_loop(pcap_t *p,int cnt,pcap_handler callback,u_char *user)
 function :
     Loop capture network packets , Until an error is encountered or the exit condition is met ;
     Every time a packet is captured, it will call callback Indicates the callback function ,
     therefore , You can process packets in the callback function 
 Return value ：
     Successfully returns 0, Failure returns a negative number 
 Parameters :
    p: Libpcap Handle 
    cnt:  Specify the number of capture packets , If it is -1, Will catch forever 
    callback:  Callback function 
    user:  Parameters passed to the callback function

Definition of callback function

typedef void (*pcap_handler)(u_char *arg, const struct pacp_pkthdr *packet_header, const u_char *packet_content);

void callback(unsigned char * argument, const struct pcap_pkthdr *packet_header, const unsigned char *packet_content)
 Parameters 1：argument Deposit pcap_loop Handed over user User data 
 Parameters 2：packet_header  The time and length of storing the received message 
 Parameters 3：packet_content Received network frame data

5.pcap_compile: The rules of user identification convert to pcap Identified rules

int pcap_compile(pcap_t *p,struct bpf_program *program, char *buf,int optimize,bpf_u_int32 mask)
 function ：
     compile BPF Filtering rules 
 Return value ：
     Successfully returns 0, Failure to return -1
 Parameters :
    p：Libpcap Handle 
    program：bpf Filtering rules （pcap Identified rules ）
    buf： Filter rule string （ User identification rules    Focus ）
    optimize： Optimize 
    mask： Mask

6.pcap_setfilter: take pcap Identified rules Set to pcap In the handle that ends the data

int pcap_setfilter(pcap *p,struct bpf_program*fp)
 function ：
     Set up BPF Filtering rules 
 Return value ：
     Successfully returns 0, Failure to return -1
 Parameters :
    p：Libpcap Handle 
    fp：BPF Filtering rules

Filtering rules ：
Filtering rules 1 Filtering rules 2 Filtering rules 3 Filtering rules 4

demo

Case study 1： Use pcap_next Get data once

#include <stdio.h>
#include <pcap.h>

int main(int argc, char *argv[])
{
    
	// Open the network card "eth0", Get device handle 
	pcap_t *pcap_handler = pcap_open_live("eth0", 1500, 0, 0, NULL);
	
	// receive data 
	unsigned char *msg = NULL; //  Store the received frame data 
	struct pcap_pkthdr pck_hdr; //  The time for storing the received data and the length of the message 
	msg = pcap_next(pcap_handler, &pck_hdr);
	
	// Analytic message 
	printf(" packet length :%u\n", pck_hdr.caplen);
	unsigned char src_mac[18];// Store the points of the source port mac
	unsigned char dst_mac[18];// Store the points of the destination port mac
	sprintf(dst_mac, "%02x:%02x:%02x:%02x:%02x:%02x", msg[0],msg[1],msg[2],msg[3],msg[4],msg[5]);
	sprintf(src_mac, "%02x:%02x:%02x:%02x:%02x:%02x", msg[0+6],msg[1+6],msg[2+6],msg[3+6],msg[4+6],msg[5+6]);
	printf("%s -- > %s\n", src_mac, dst_mac);
	
	// Closing handle 
	pcap_close(pcap_handler);
	return 0;
}

Case study 2： Receive network data circularly pcap_loop

#include <stdio.h>
#include <pcap.h>

void callback(u_char *arg, const struct pacp_pkthdr *packet_header, const u_char *packet_content)
{
    
	unsigned char *msg = packet_content;
	unsigned char src_mac[18] = "";
	unsigned char dst_mac[18] = "";
	
	sprintf(src_mac, "%02x:%02x:%02x:%02x:%02x:%02x", msg[0], msg[1], msg[2], msg[3], msg[4], msg[5]);
	sprintf(dst_mac, "%02x:%02x:%02x:%02x:%02x:%02x", msg[0+6],msg[1+6],msg[2+6],msg[3+6],msg[4+6],msg[5+6]);
	printf("%s -- > %s\n", src_mac, dst_mac);
}
int main(int argc, char *argv[])
{
    
	// Open network interface eth0, Get handle 
	pcap_t * pcap_handler = pcap_open_live("eth0", 1500, 0, 0, NULL);
	
	// Receive network data circularly 
	pcap_loop(pcap_handler, 5, callback, NULL);
	
	// Closing handle 
	pcap_close(pcap_close);
	
	return 0;
}

Case study 3： Set filtering rules

#include <stdio.h>
#include <pcap.h>

void callback(u_char *arg, const struct pacp_pkthdr *packet_header, const u_char *packet_content)
{
    
	unsigned char *msg = packet_content;
	unsigned char src_mac[18] = "";
	unsigned char dst_mac[18] = "";
	
	sprintf(src_mac, "%02x:%02x:%02x:%02x:%02x:%02x", msg[0], msg[1], msg[2], msg[3], msg[4], msg[5]);
	sprintf(dst_mac, "%02x:%02x:%02x:%02x:%02x:%02x", msg[0+6],msg[1+6],msg[2+6],msg[3+6],msg[4+6],msg[5+6]);
	printf("%s -- > %s\n", src_mac, dst_mac);
}
int main(int argc, char *argv[])
{
    
	// Open network interface eth0, Get handle 
	pcap_t * pcap_handler = pcap_open_live("eth0", 1500, 0, 0, NULL);
	
	// Set filtering rules 
	struct bpf_program program;
	pcap_compile(pcap_handler, &program, "src port 9000", 0, 0xffffff00);
	pcap_setfilter(pcap_handler, &program);
	
	// Receive network data circularly 
	pcap_loop(pcap_handler, 5, callback, NULL);
	
	// Closing handle 
	pcap_close(pcap_close);
	
	return 0;
}