对 libcap (pcap) 和无线感到困惑
背景:我正在自学数据包嗅探。我在一个 shell 中运行一个非常简单的服务器,从另一个 shell 远程登录到它,然后尝试不同的方法来嗅探流量。当我使用原始套接字(IPPROTO_TCP)时,我可以很好地捕获我发送的内容。我只捕获我发送的内容,而不是来自互联网的其他内容。 libcap 的行为让我感到困惑,如下:
(1) 首先,为了检查它,我使用 pcap_findalldevs 捕获所有设备(另请参阅下面的 (2))。我发现 wlan0 很好。如果我连接到“所有流量”(根据手册页),
if ( !( pcap_handle = pcap_open_live(NULL, 4096, 1, 0, errbuf) ) )
我会捕获我发送的内容(还有更多,请参阅(3))。 当我尝试使用连接到它时
if ( !( pcap_handle = pcap_open_live("wlan0", 4096, 1, 0, errbuf) ) )
,对我来说这似乎是执行此操作的正确方法,而不是“全部”,我捕获了大量的一般流量,但我没有发送任何内容。有想法吗?
(2)我首先使用pcap_findalldevs查找所有设备。由于 pcap_if_t 结构可能有多个元素,因此我将所有这些元素打印出来,以查看以下内容:
Devices found:
1. eth0 - None:
family: 17, address: 2.0.0.0
2. wlan0 - None:
family: 17, address: 3.0.0.0
family: AF_INET, address: 192.168.0.159
family: 10, address: 0.0.0.0
3. usbmon1 - USB bus number 1:
4. usbmon2 - USB bus number 2:
5. usbmon3 - USB bus number 3:
6. usbmon4 - USB bus number 4:
7. usbmon5 - USB bus number 5:
8. any - Pseudo-device that captures on all interfaces:
9. lo - None:
family: 17, address: 1.0.0.0
family: AF_INET, address: 127.0.0.1
family: 10, address: 0.0.0.0
我对此很陌生。某些设备提供 AF_INET (=IPv4)、IPv6 (10) 和数据包 (17) 的捕获。当我连接到“wlan0”时,如何确保我连接到某些设备的正确“地址”?这与问题有关吗?
(3) 当使用原始套接字时,我实际上只捕获发送到服务器的内容。当我使用 libcap 时,我还从打印出的字节中捕获必须是互联网标头的内容。我对此很陌生。如果有人可以详细说明我在这里捕获的确切内容,而我没有在原始套接字上捕获的内容,我们将不胜感激。根据定义,我的 IPPPROTO_TCP 套接字不会捕获那些 UDP 或 ICMP 数据包,这就是为什么我没有看到那些使用原始套接字的原因?
非常感谢。
编辑:我在东芝上网本上的 Ubuntu 10.04 下工作,使用 gcc/gdb 组合。
Background: I'm teaching myself about packet sniffing. I run a very simple server in one shell, telnet to it from another, then try different methods to sniff on traffic. When I use raw sockets (IPPROTO_TCP), I capture what I send fine. I capture merely what I send, nothing else from the internet. libcap's behavior confuses me as follows:
(1) First, to check it out, I capture all devices with pcap_findalldevs (see (2) below as well). I find wlan0 fine. If I connect to 'all traffic' (per the man page) using
if ( !( pcap_handle = pcap_open_live(NULL, 4096, 1, 0, errbuf) ) )
I capture what I send (plus more, see (3)).
when I try to connect to it using
if ( !( pcap_handle = pcap_open_live("wlan0", 4096, 1, 0, errbuf) ) )
, which to me seems the proper way of doing this, not 'all', i capture lots of general traffic, but nothing I send. Ideas?
(2) I first find all devices using pcap_findalldevs. As the pcap_if_t structure possibly has several elements, I print all those out, to see the following:
Devices found:
1. eth0 - None:
family: 17, address: 2.0.0.0
2. wlan0 - None:
family: 17, address: 3.0.0.0
family: AF_INET, address: 192.168.0.159
family: 10, address: 0.0.0.0
3. usbmon1 - USB bus number 1:
4. usbmon2 - USB bus number 2:
5. usbmon3 - USB bus number 3:
6. usbmon4 - USB bus number 4:
7. usbmon5 - USB bus number 5:
8. any - Pseudo-device that captures on all interfaces:
9. lo - None:
family: 17, address: 1.0.0.0
family: AF_INET, address: 127.0.0.1
family: 10, address: 0.0.0.0
I am all new to this. Some devices offer capturing of AF_INET (=IPv4), IPv6 (10), and packet (17). when I connect to "wlan0", how is it ensured I connect to the proper of the 'addresses' of some device? Is that related to the problem?
(3) When using raw sockets, I really only capture what I sent to my server. When I use libcap, I also capture what, from the bytes printed out, must be internet headers. I am all new to this. If someone could elaborate what exactly I capture here which i don't capture on raw sockets, this would be appreciated. Are those UDP or ICMP packets which, by definition, my IPPPROTO_TCP socket would not capture, which would be why I didn't see those using raw sockets?
Many thanks.
Edit: I work under Ubuntu 10.04 on a Toshiba netbook, using gcc/gdb combo.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
wlan0上捕获时,您看不到发送的数据包,即使它们实际上是通过您的 Wi-Fi 设备发送的。您是否将它们发送到 Wi-Fi 网络上的其他计算机?例如,如果您将它们发送到计算机上的其他进程,它们将显示在lo上,而不是wlan0上(如果您将它们发送到其他进程)您的 Wi-Fi 网络上的计算机,而不是计算机上的其他进程,它们将不会出现在lo上 - 不,所有流量最终不会通过环回接口)。pcap_findalldevs()获取的地址列表不是您可以在该接口上捕获的地址列表,它只是系统拥有的网络地址列表那个界面。您无需选择要捕获的地址 - 它会捕获所有地址。您捕获的是接口,而不是地址。pcap_open_live()后,您需要调用pcap_datalink()来找出接口的标头类型;请参阅链路层类型列表(pcap_datalink()将返回此处列出的DLT_值不要假设给出的数字与DLT_值相同,而是与DLT_值进行比较按名字)。wlan0, you're not seeing packets you send, if they're actually being sent over your Wi-Fi device. Are you sending them to other machines on your Wi-Fi network? If, for example, you're sending them to other processes on your machine, they'll show up onlo, not onwlan0(and if you send them to other machines on your Wi-Fi network, rather than to other processes on your machine, they will not show up onlo- no, all traffic doesn't eventually go through the loopback interface).pcap_findalldevs()is NOT a list of addresses for which you can capture on that interface, it's just a list of network addresses the system has for that interface. You don't get to choose which addresses for which to capture - it captures for all of them. You capture on an interface, not an address.pcap_datalink()after callingpcap_open_live()to find out the header type for the interface; see the list of link-layer types (pcap_datalink()will return theDLT_value, as listed there; don't assume the number given there is the same as theDLT_value, compare with theDLT_value by name).