代码中出现一些错误 - libpcap

发布于 2025-01-05 19:28:56 字数 329 浏览 0 评论 0原文

我正在尝试用 C 解析 pcap 文件。我不想使用 libpcap。但由于某种原因，我无法这样做。你知道我该怎么做吗？这是我的尝试：

fseek(f,24,0);
while(count<20)//reading 20 packets
{ 
  fread(header,sizeof(struct pcap_pkthdr),1,f);
  //after this I'm printing values header fields
  fseek(f,ntohl(header->caplen),1);
  count++;
}

输出与 libpcap 不同。

原文

I'm trying to parse a pcap file in C. I don't want to use libpcap. But for some reason, I'm unable to. Do you know how can I do this ? Here is my attempt :

fseek(f,24,0);
while(count<20)//reading 20 packets
{ 
  fread(header,sizeof(struct pcap_pkthdr),1,f);
  //after this I'm printing values header fields
  fseek(f,ntohl(header->caplen),1);
  count++;
}

Output is not the same as libpcap.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

扮仙女 2025-01-12 19:28:56

struct pcap_pkthdr 不是定义 pcap 文件中数据包标头格式的结构；它是定义提供给使用 libpcap 或 WinPcap 的程序的数据包标头格式的结构。

在 pcap 文件中定义数据包标头格式的结构不出现在任何 pcap 包含文件中，因为 libpcap/WinPcap 提供了读取这些标头并根据需要将其转换为 pcap_pkthdr 的例程。标头。与 struct pcap_pkthdr 不同，pcap 文件中的数据包标头中的时间戳始终具有 32 位“秒”字段和 32 位“微秒”字段，即使在 time_t< 的系统上也是如此。 /code> 和 struct timeval 中的 tv_sec 值是 64 位。

即，该结构由以下方式定义

struct pcap_timeval {
    bpf_int32 tv_sec;           /* seconds */
    bpf_int32 tv_usec;          /* microseconds */
};


struct pcap_sf_pkthdr {
    struct pcap_timeval ts;     /* time stamp */
    bpf_u_int32 caplen;         /* length of portion present */
    bpf_u_int32 len;            /* length this packet (off wire) */   
};

，其中 struct pcap_sf_pkthdr 是文件中的结构。

另请注意，如果您从文件中读取struct pcap_sf_pkthdr，则必须进行字节交换ts.tv_sec、ts.tv_usec、 caplen 和 len IF 文件写入的计算机的字节顺序与您读取文件的计算机的字节顺序不同。像 ntohl() 这样简单的东西将无法工作 - 例如，如果您的文件是在与您正在读取它的同一台机器上写入的，则没有字节- 交换是必要的。

实现该功能的唯一方法是读取文件头，而不是仅仅使用 fseek() 跳过它。如果文件头中的“幻数”值为0xa1b2c3d4，那么您不需要进行任何字节交换；如果它的值为0xd4c3b2a1，则需要对文件头和struct pcap_sf_pkthdr中的值进行字节交换。请注意，如果您在 PowerPC 等大端机器上运行，则 ntohl() 和 htonl() 将不会进行字节交换/Power Architecture 机器或 MIPS 机器或 IBM 大型机或......

另请注意，并非所有捕获文件都将是 pcap 文件；如果它们是 pcap-NG 文件，则必须以完全不同的方式读取它们。 Libpcap 1.1 及更高版本知道如何读取 pcap-NG 文件（libpcap/WinPcap API 的功能不足以处理所有 pcap-NG 文件，但它可以处理 pcap-NG 文件等只有一个部分，并且只有来自一个网络适配器的数据包，libpcap 1.1 及更高版本可以读取这些数据包）。正如 unwind 建议的那样，我建议您使用 libpcap/WinPcap 来读取捕获文件，而不是编写自己的代码来执行此操作。

struct pcap_pkthdr is NOT the structure that defines the format of packet headers in a pcap file; it's the structure that defines the format of packet headers as provided to programs using libpcap or WinPcap.

The structure that defines the format of packet headers in a pcap file is NOT in any of the pcap include files, because libpcap/WinPcap provides routines that read those headers and transforms them as necessary to pcap_pkthdr headers. Unlike struct pcap_pkthdr, the time stamp in packet headers in a pcap file always have a 32-bit "seconds" field and a 32-bit "microseconds" field, even on systems where time_t and the tv_sec value in a struct timeval are 64 bits.

I.e., the structure is defined by

struct pcap_timeval {
    bpf_int32 tv_sec;           /* seconds */
    bpf_int32 tv_usec;          /* microseconds */
};


struct pcap_sf_pkthdr {
    struct pcap_timeval ts;     /* time stamp */
    bpf_u_int32 caplen;         /* length of portion present */
    bpf_u_int32 len;            /* length this packet (off wire) */   
};

where struct pcap_sf_pkthdr is the structure in the file.

Note also that, if you read a struct pcap_sf_pkthdr from a file, you will have to byte-swap ts.tv_sec, ts.tv_usec, caplen, and len IF the file was written on a machine whose byte order differs from the machine on which you're reading the file. Something as simple as ntohl() will NOT work - if, for example, your file was written on the same machine as the one on which you are reading it, no byte-swapping is necessary.

The ONLY way to make that work would be to READ the file header, rather than just skipping over it with fseek(). If the "magic number" in the file header has the value 0xa1b2c3d4, then you do not need to do any byte swapping; if it has the value 0xd4c3b2a1, you will need to byte-swap the values in the file header and the struct pcap_sf_pkthdr. Note that ntohl() and htonl() will NOT byte-swap if you're running on a big-endian machine such as a PowerPC/Power Architecture machine or a MIPS machine or an IBM mainframe or....

Note also that not all capture files are going to be pcap files; if they're pcap-NG files, they have to be read in a completely different fashion. Libpcap 1.1 and later know how to read pcap-NG files (the libpcap/WinPcap API isn't powerful enough to handle all pcap-NG files, but it can, for example, handle pcap-NG files that only have one section and only have packets from one network adapter, and libpcap 1.1 and later can read those). I would suggest, just as unwind suggested, that you use libpcap/WinPcap to read capture files, rather than writing your own code to do it.

回复收藏 0 原文

少女情怀诗 2025-01-12 19:28:56

确保您正确处理 pcap 文件格式的字节顺序。

此外，直接从磁盘加载整个结构很少是安全的，因为编译器可以随意在结构字段之间插入填充，这将使磁盘中的字节与内存中的字节不匹配。

我建议你使用官方库，因为这样这些问题就已经得到解决了。

回复收藏 0 原文

征﹌骨岁月お 2025-01-12 19:28:56

尝试这样的事情：

struct dump_pcap_pkthdr {
struct          timeval ts; /* time stamp */
unsigned int    caplen;     /* length of portion present */
unsigned int    len;        /* length this packet (off wire) */
};

struct dump_pcap_file_header {
unsigned int    magic;
unsigned short  version_major;
unsigned short  version_minor;
int             thiszone;   /* gmt to local correction */
unsigned int    sigfigs;    /* accuracy of timestamps */
unsigned int    snaplen;    /* max length saved portion of each pkt */
unsigned int    linktype;   /* data link type (LINKTYPE_*) */
};


static void read_pcap_file(char *file)
{
int fd    = -1;
struct dump_pcap_pkthdr packet_header    = {0};
struct dump_pcap_file_header pcap_header = {0};

fd = open(file, O_RDONLY);
if(fd < 0) {
    printf("Fail open file: %s\n", file);
    return;
}

if(read(fd, &pcap_header, sizeof(pcap_header)) != sizeof(pcap_header)) {
    printf("Failed to read TCPDump Header from file: %s\n", file);
    return;
}

while(1)
{
    r = read(fd, &packet_header, sizeof(packet_header));
    if(r != sizeof(packet_header))
        break;

    //print data           

    lseek(fd, packet_header.caplen, SEEK_CUR);
}

close(fd);
}

Try something like that:

struct dump_pcap_pkthdr {
struct          timeval ts; /* time stamp */
unsigned int    caplen;     /* length of portion present */
unsigned int    len;        /* length this packet (off wire) */
};

struct dump_pcap_file_header {
unsigned int    magic;
unsigned short  version_major;
unsigned short  version_minor;
int             thiszone;   /* gmt to local correction */
unsigned int    sigfigs;    /* accuracy of timestamps */
unsigned int    snaplen;    /* max length saved portion of each pkt */
unsigned int    linktype;   /* data link type (LINKTYPE_*) */
};


static void read_pcap_file(char *file)
{
int fd    = -1;
struct dump_pcap_pkthdr packet_header    = {0};
struct dump_pcap_file_header pcap_header = {0};

fd = open(file, O_RDONLY);
if(fd < 0) {
    printf("Fail open file: %s\n", file);
    return;
}

if(read(fd, &pcap_header, sizeof(pcap_header)) != sizeof(pcap_header)) {
    printf("Failed to read TCPDump Header from file: %s\n", file);
    return;
}

while(1)
{
    r = read(fd, &packet_header, sizeof(packet_header));
    if(r != sizeof(packet_header))
        break;

    //print data           

    lseek(fd, packet_header.caplen, SEEK_CUR);
}

close(fd);
}

回复收藏 0 原文

~没有更多了~