当前位置：文江博客话题详情

不使用 libpcap 在 Linux 中嗅探数据包

发布于 2024-11-25 01:54:36 字数 260 浏览 1 评论 0原文

我在大学（网络工程）课程中得到了一个项目，其中涉及编写一个数据包嗅探器，可以捕获和识别 IPv4、IPv6、TCP、UDP、IP、ICMP 等数据包并显示其内容。

最初我们被指示使用 libpcap 来执行此操作，但我们刚刚被一位大学技术人员告知，在当前安装 (Arch linux) 中无法使用 libpcap。

还有哪些其他方法可以用 C 语言创建不使用 libpcap 的数据包嗅探器？

我不是在寻求这个项目的答案，我只是在寻求方向，我应该从哪里开始？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

著墨染雨君画夕 2024-12-02 01:54:36

我会去问更资深的人你实际上应该做什么。这里似乎有两个完全不同的任务 - 一个是解析和显示网络数据包，另一个是与操作系统/硬件连接以捕获数据包。如果您应该学习前者，那么您可能不应该花时间在后者上。

回复收藏 0 原文

放飞的风筝 2024-12-02 01:54:36

最初我们被指示使用 libpcap 来执行此操作，但我们刚刚被一位大学技术人员告知，在当前安装 (Arch linux) 中无法使用 libpcap。

我建议的第一件事是从课程导师那里得到直接的答案。如果技术人员表示 libpcap 不可用，那么很好，您应该能够编译它。如果技术人员表示他们（Arch 或大学）已从 Linux 内核中删除了混杂模式驱动程序，那么您无能为力。无论哪种方式，请检查您所听到的内容。

如果您仍然需要这样做，那么阅读 libpcap 源代码以获取指导有什么问题吗？ pcap_loop 是您正在寻找的函数，它从 pcap_t 结构调用 read_op。 grep -irn "read_op = " * 揭示了 libpcap 中低级别的几种可能的读取器：

grep -irn "read_op = " *
pcap-bpf.c:2231:    p->read_op = pcap_read_bpf;
pcap-bt-linux.c:172:    handle->read_op = bt_read_linux;
pcap.c:243: p->read_op = (read_op_t)pcap_not_initialized;
pcap-can-linux.c:99:    handle->read_op = can_read_linux;
pcap-dag.c:795: handle->read_op = dag_read;
pcap-dlpi.c:759:    p->read_op = pcap_read_dlpi;
pcap-libdlpi.c:217: p->read_op = pcap_read_libdlpi;
pcap-linux.c:1198:  handle->read_op = pcap_read_linux;
pcap-linux.c:3167:  handle->read_op = pcap_read_linux_mmap;
pcap-netfilter-linux.c:338: handle->read_op = nflog_read_linux;
pcap-nit.c:315: p->read_op = pcap_read_nit;
pcap-pf.c:486:  p->read_op = pcap_read_pf;
pcap-septel.c:213:  handle->read_op = septel_read;
pcap-sita.c:941:    handle->read_op = pcap_read_acn;
pcap-snf.c:236: p->read_op = snf_read;
pcap-snit.c:394:    p->read_op = pcap_read_snit;
pcap-snoop.c:381:   p->read_op = pcap_read_snoop;
pcap-usb-linux.c:341:           handle->read_op = usb_read_linux_mmap;
pcap-usb-linux.c:355:       handle->read_op = usb_read_linux_bin;
pcap-usb-linux.c:390:       handle->read_op = usb_read_linux;
pcap-win32.c:687:       p->read_op = pcap_read_win32_dag;
pcap-win32.c:694:       p->read_op = pcap_read_win32_npf;
savefile.c:323: p->read_op = pcap_offline_read;

您的系统使用哪一个可能取决于 configure 的结果，但其中任何一个将作为了解其工作原理的良好起点。不要害怕拆散这样的大型项目 - 有人说“谷歌是你的朋友”。好吧，我认为 grep 是你的朋友。

Originally we were directed to use libpcap to do this, but we have just been informed by one of the university technicians that it is not possible to use libpcap with the current installation (Arch linux).

First thing I would advise is get a straight answer from the course tutor. If the technician means libpcap is not available, fine, you ought to be able to compile it. If the technician means they've (Arch, or the university) removed promiscuous mode drivers from the Linux kernel, there isn't a whole lot you can do. Either way, check what you're hearing.

Should you still need to do this, what's wrong with reading the libpcap source for guidance? pcap_loop is the function you're looking for, which calls read_op from a pcap_t struct. grep -irn "read_op = " * reveals several possible readers at the low level in libpcap:

grep -irn "read_op = " *
pcap-bpf.c:2231:    p->read_op = pcap_read_bpf;
pcap-bt-linux.c:172:    handle->read_op = bt_read_linux;
pcap.c:243: p->read_op = (read_op_t)pcap_not_initialized;
pcap-can-linux.c:99:    handle->read_op = can_read_linux;
pcap-dag.c:795: handle->read_op = dag_read;
pcap-dlpi.c:759:    p->read_op = pcap_read_dlpi;
pcap-libdlpi.c:217: p->read_op = pcap_read_libdlpi;
pcap-linux.c:1198:  handle->read_op = pcap_read_linux;
pcap-linux.c:3167:  handle->read_op = pcap_read_linux_mmap;
pcap-netfilter-linux.c:338: handle->read_op = nflog_read_linux;
pcap-nit.c:315: p->read_op = pcap_read_nit;
pcap-pf.c:486:  p->read_op = pcap_read_pf;
pcap-septel.c:213:  handle->read_op = septel_read;
pcap-sita.c:941:    handle->read_op = pcap_read_acn;
pcap-snf.c:236: p->read_op = snf_read;
pcap-snit.c:394:    p->read_op = pcap_read_snit;
pcap-snoop.c:381:   p->read_op = pcap_read_snoop;
pcap-usb-linux.c:341:           handle->read_op = usb_read_linux_mmap;
pcap-usb-linux.c:355:       handle->read_op = usb_read_linux_bin;
pcap-usb-linux.c:390:       handle->read_op = usb_read_linux;
pcap-win32.c:687:       p->read_op = pcap_read_win32_dag;
pcap-win32.c:694:       p->read_op = pcap_read_win32_npf;
savefile.c:323: p->read_op = pcap_offline_read;

Which one your system uses probably depends on the result of configure, but any of those would act as great starting points for working out how it works. Don't be afraid to take apart big projects like this - somebody else said "google is your friend". Well I think grep is your friend.

回复收藏 0 原文