-
libpcap源码
2015-04-07 15:35:58libpcap是tcpdump的一个依赖文件 -
tcpdump/libpcap源码
2018-12-04 22:20:58tcpdump-4.9.2 and libpcap-1.9.0 source code and cross compile guide. -
libpcap源码分析
2016-01-04 13:45:05今天刚好在写总结,就将之前分析的libpcap文档与大家分享一下。 百度文库的地址:http://wenku.baidu.com/view/1a8fc4baa26925c52cc5bff2# 其中有部分是参考网上资料。 1、Libpcap介绍 Libpcap是Packet...展开全文今天刚好在写总结,就将之前分析的libpcap文档与大家分享一下。
百度文库的地址:http://wenku.baidu.com/view/1a8fc4baa26925c52cc5bff2#
其中有部分是参考网上资料。
1、Libpcap介绍
Libpcap是Packet Capture Library的英文缩写,即数据包捕获函数库。该库提供的C函数接口用于捕获及格过指定网络接口的数据包,该接口是被设为混杂模式。大多数网络监控软件都以它为基础,其提供的接口函数实现和封装了与数据包截获相关的过程。Libpcap提供了用户级别的网络数据包捕获接口,并充分考虑到引用程序的可移植性,可以在绝大多数类unix平台下工作。主要功能:
l 数据包捕获:捕获流经网卡的原始数据包
l 自定义数据包发送:构造任何格式的原始数据包
l 流量采集与统计:采集网络中的流量信息
l 规则过滤:提供自带规则过滤功能,按需要选择过滤规则
绝大多数的现代操作系统都提供了对底层网络数据包捕获的机制,在捕获机制之上可以建立网络监控(Network Monitoring)应用软件。网络监控也常简称为sniffer,其最初的目的在于对网络通信情况进行监控,以对网络的一些异常情况进行调试处理。但随着互连网的快速普及和网络攻击行为的频繁出现,保护网络的运行安全也成为监控软件的另一个重要目的。例如,网络监控在路由器,防火墙、入侵检查等方面使用也很广泛。本文分析了Libpcap在linux下的源代码实现,其中重点是linux的底层包捕获机制。
2、Libpcap的安装
Libpcap的下载地址: http://www.tcpdump.org/ 然后切换到下载的目录,解压压缩文件,配置,编译,安装。其命令如下:
cd ****
tar zxvf ****
./configure
Make
Make install
配置中如果出现错误,检查是否安装了所有的依赖包bison、m4、GNU、flex以及libpcap-dev。在运行的时候,是需要root权限的。
3、Libpcap工作原理
作为捕获网络数据包的库,它是一个独立于系统的用户级的API接口,为底层网络检测提供了可移植的框架。从广义的角度上看,一个包捕获机制包含三个主要部分:最底层是针对特定操作系统的包捕获机制,最高层是针对用户程序的接口,第三部分是包过滤机制。不同的操作系统实现的底层包捕获机制可能是不一样的,但从形式上看大同小异。数据包常规的传输路径依次为网卡、设备驱动层、数据链路层、网络层、传输层、应用层。而包捕获机制是在数据链路层增加一个旁路处理,对发送和接收到的数据包做过滤、缓冲等相关处理,最后直接传递到应用程序。值得注意的是,包捕获机制并不影响操作系统对数据包的网络栈处理。对用户程序而言,包捕获机制提供了一个统一的接口,使用户只需要简单的调用若干函数就能获得所期望的数据包。这样一来,针对特定操作系统的捕获机制对用户透明,使用户程序有比较好的可移植性。包过滤机制是对所捕获到的数据包根据用户的要求进行筛选,最终只把满足过滤条件的数据包传递给用户程序。如图1所示:
图1、包捕获机制
Libpcap源代码由20多个C文件构成,但在Linux系统下并不是所有文件都用到。可以通过查看命令make的输出了解实际所用的文件。本文所针对的Libpcap版本号为1.6.2
网络类型为常规以太网。Libpcap应用程序从形式上看很简单,其程序框架如图2所示:
图2、程序框架
在上面的流程中,通过查找网络设备,打开网络设备,获取网络参数,捕获数据包等操作简单的描述了一个抓包的流程。
4、函数功能介绍
4.1查找网络设备
Libpcap程序的第一步通常是在系统中找到合适的网络设备。网络接口在Linux网络体系中式一个很重要的概念,它是对具体网络硬件设备的一个抽象,在它的下面是具体的网卡驱动程序,而其上则是网络协议层。Linux中最常见的接口设备名eth0和lo。Lo称为回路设备,是一种逻辑意义上的设备,其主要目的是为了调试网络程序之间的通讯功能。Eth0对应实际的物理网卡,在真实网络环境下,数据包的发送和接收都要通过eth0。如果计算机有多个网卡,则还可以有更多的网络接口,如eth1,eth2等等。调用命令ifconfig可以列出当前所有活跃的接口及相关信息,注意对eth0的描述中技有物理网卡的MAC地址,也有网络协议的IP地址。查看文件/proc/net/dev也可以获得接口的信息。
Libpcap中检查网络设备中主要使用到的函数如下:
char * pcap_lookupdev(char * errbuf)
//上面这个函数返回第一个合适的网络接口的字符串指针,如果出错,则errbuf存放出错信息字符串,errbuf至少应该是PCAP_ERRBUF_SIZE个字节长度的
char *
pcap_lookupdev(errbuf)
register char *errbuf;
{
pcap_if_t *alldevs;
/* for old BSD systems, including bsdi3 */
#ifndef IF_NAMESIZE
#define IF_NAMESIZE IFNAMSIZ
#endif
static char device[IF_NAMESIZE + 1];
char *ret;
if (pcap_findalldevs(&alldevs, errbuf) == -1)
return (NULL);
if (alldevs == NULL || (alldevs->flags & PCAP_IF_LOOPBACK)) {
/*
* There are no devices on the list, or the first device
* on the list is a loopback device, which means there
* are no non-loopback devices on the list. This means
* we can't return any device.
*
* XXX - why not return a loopback device? If we can't
* capture on it, it won't be on the list, and if it's
* on the list, there aren't any non-loopback devices,
* so why not just supply it as the default device?
*/
(void)strlcpy(errbuf, "no suitable device found",
PCAP_ERRBUF_SIZE);
ret = NULL;
} else {
/*
* Return the name of the first device on the list.
*/
(void)strlcpy(device, alldevs->name, sizeof(device));
ret = device;
}
pcap_freealldevs(alldevs);
return (ret);
}
pcap_findalldevs_interfaces(alldevsp, errbuf)
//获取常规的网络接口
Libpcap调用上面的pcap_lookupdev()函数获得可用网络接口的设备名。首先利用函数pcap_findalldevs_interfaces()查找网络设备接口,其部分源码如下:
/*
* Create a socket from which to fetch the list of interfaces,
* and from which to fetch IPv4 information.
*/
fd4 = socket(AF_INET, SOCK_DGRAM, 0);
if (fd4 < 0) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"socket: %s", pcap_strerror(errno));
return (-1);
}
//创建socket套接字,为后面的数据传输。
/*
* How many entries will SIOCGLIFCONF return?
*/
ifn.lifn_family = AF_UNSPEC;
ifn.lifn_flags = 0;
ifn.lifn_count = 0;
if (ioctl(fd4, SIOCGLIFNUM, (char *)&ifn) < 0) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGLIFNUM: %s", pcap_strerror(errno));
(void)close(fd6);
(void)close(fd4);
return (-1);
}
/*
* Get the entries.
*/
ifc.lifc_len = buf_size;
ifc.lifc_buf = buf;
ifc.lifc_family = AF_UNSPEC;
ifc.lifc_flags = 0;
memset(buf, 0, buf_size);
if (ioctl(fd4, SIOCGLIFCONF, (char *)&ifc) < 0) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGLIFCONF: %s", pcap_strerror(errno));
(void)close(fd6);
(void)close(fd4);
free(buf);
return (-1);
}
利用ioctl函数,获取所有的设备名。保存到*alldevsp指针的入口参数里面。在pcap_lookupdev函数的最后通过使用函数strlcpy(device, alldevs->name, sizeof(device))将上面找到的设备名复制给device。最后返回给调用程序。
/* libpcap 自定义的接口信息链表 [pcap.h] */
struct pcap_if
{
struct pcap_if *next;
char *name; /* 接口设备名 */
char *description; /* 接口描述 */
/*接口的 IP 地址, 地址掩码, 广播地址,目的地址 */
struct pcap_addr addresses;
bpf_u_int32 flags; /* 接口的参数 */
};
网络设备
当设备找到后,下一步工作就是打开设备以准备捕获数据包。Libpcap的包捕获是建立在具体的操作系统所提供的捕获机制上,而Linux系统随着版本的不同,所支持的捕获机制也有所不同。
2.0 及以前的内核版本使用一个特殊的socket类型SOCK_PACKET,调用形式是socket(PF_INET, SOCK_PACKET, int protocol),但 Linux 内核开发者明确指出这种方式已过时。Linux 在 2.2及以后的版本中提供了一种新的协议簇 PF_PACKET 来实现捕获机制。PF_PACKET 的调用形式为 socket(PF_PACKET, int socket_type, int protocol),其中socket类型可以是 SOCK_RAW和SOCK_DGRAM。SOCK_RAW 类型使得数据包从数据链路层取得后,不做任何修改直接传递给用户程序,而 SOCK_DRRAM 则要对数据包进行加工(cooked),把数据包的数据链路层头部去掉,而使用一个通用结构 sockaddr_ll 来保存链路信息。
使 用 2.0 版本内核捕获数据包存在多个问题:首先,SOCK_PACKET 方式使用结构 sockaddr_pkt来保存数据链路层信息,但该结构缺乏包类型信息;其次,如果参数 MSG_TRUNC 传递给读包函数 recvmsg()、recv()、recvfrom() 等,则函数返回的数据包长度是实际读到的包数据长度,而不是数据包真正的长度。Libpcap 的开发者在源代码中明确建议不使用 2.0 版本进行捕获。
相对2.0版本SOCK_PACKET方式,2.2版本的PF_PACKET方式则不存在上述两个问题。在实际应用中,用 户程序显然希望直接得到"原始"的数据包,因此使用 SOCK_RAW 类型最好。但在下面两种情况下,libpcap 不得不使用SOCK_DGRAM类型,从而也必须为数据包合成一个"伪"链路层头部(sockaddr_ll)。打开网络设备的主函数是pcap_open_live,其任务就是通过给定的接口设备名,获得一个捕获句柄:pcap_t。Pcap_t结构体是大多数libpcap函数都要用到的参数,其中最重要的属性就是上面的socket方式的一种,位于pcap_int.h中,下面是pcap_t的结构:
/*
* We put all the stuff used in the read code path at the beginning,
* to try to keep it together in the same cache line or lines.
*/
struct pcap {
/*
* Method to call to read packets on a live capture.
*/
read_op_t read_op; //回调函数,用户获取数据包。
/*
* Method to call to read to read packets from a savefile.
*/
int (*next_packet_op)(pcap_t *, struct pcap_pkthdr *, u_char **);
#ifdef WIN32
ADAPTER *adapter;
LPPACKET Packet;
int nonblock;
#else
int fd; //文件描述符。实际就是socket
int selectable_fd;
#endif /* WIN32 */
/*
* Read buffer.
*/
int bufsize;
u_char *buffer;
u_char *bp;
int cc;
int break_loop; /* flag set to force break from packet-reading loop */强制从读数据包循环中跳出的标志
void *priv; /* private data for methods */
int swapped;
FILE *rfile; /* null if live capture, non-null if savefile */
int fddipad;
struct pcap *next; /* list of open pcaps that need stuff cleared on close */
/*
* File version number; meaningful only for a savefile, but we
* keep it here so that apps that (mistakenly) ask for the
* version numbers will get the same zero values that they
* always did.
*/
int version_major;
int version_minor;
int snapshot; //用户期望捕获数据包的最大长度,自定义的
int linktype; /* Network linktype */设备类型
int linktype_ext; /* Extended information stored in the linktype field of a file */
int tzoff; /* timezone offset */时区位置 偏移
int offset; /* offset for proper alignment */边界对齐偏移量
int activated; /* true if the capture is really started */
int oldstyle; /* if we're opening with pcap_open_live() */
struct pcap_opt opt;
/*
* Place holder for pcap_next().
*/
u_char *pkt;
/* We're accepting only packets in this direction/these directions. */
pcap_direction_t direction;
/*
* Placeholder for filter code if bpf not in kernel.
*/
//如果BPF过滤代码不能在内核中执行,则将其保存并在用户控件执行
struct bpf_program fcode;
//相关的函数指针,最终指向特定操作系统的处理函数。
char errbuf[PCAP_ERRBUF_SIZE + 1];
int dlt_count;
u_int *dlt_list;
int tstamp_type_count;
u_int *tstamp_type_list;
int tstamp_precision_count;
u_int *tstamp_precision_list;
struct pcap_pkthdr pcap_header; /* This is needed for the pcap_next_ex() to work */
/*
* More methods.
*/
activate_op_t activate_op;
can_set_rfmon_op_t can_set_rfmon_op;
inject_op_t inject_op;
setfilter_op_t setfilter_op;
setdirection_op_t setdirection_op;
set_datalink_op_t set_datalink_op;
getnonblock_op_t getnonblock_op;
setnonblock_op_t setnonblock_op;
stats_op_t stats_op;
/*
* Routine to use as callback for pcap_next()/pcap_next_ex().
*/
pcap_handler oneshot_callback;
#ifdef WIN32
/*
* These are, at least currently, specific to the Win32 NPF
* driver.
*/
setbuff_op_t setbuff_op;
setmode_op_t setmode_op;
setmintocopy_op_t setmintocopy_op;
getadapter_op_t getadapter_op;
#endif
cleanup_op_t cleanup_op;
};
函数pcap_open_live调用中,如果device为NULL或any,则对所有接口捕获,snaplen表示用户期望的捕获数据包最大长度,promisc表示设置接口为混杂模式,to_ms表示函数超时返回的时间。在pcap.c文件中找到pcap_open_live()函数,其源码如下:
pcap_t *
pcap_open_live(const char *source, int snaplen, int promisc, int to_ms, char *errbuf)
{
pcap_t *p;
int status;
p = pcap_create(source, errbuf);
if (p == NULL)
return (NULL);
status = pcap_set_snaplen(p, snaplen);
if (status < 0)
goto fail;
status = pcap_set_promisc(p, promisc);
if (status < 0)
goto fail;
status = pcap_set_timeout(p, to_ms);
if (status < 0)
goto fail;
/*
* Mark this as opened with pcap_open_live(), so that, for
* example, we show the full list of DLT_ values, rather
* than just the ones that are compatible with capturing
* when not in monitor mode. That allows existing applications
* to work the way they used to work, but allows new applications
* that know about the new open API to, for example, find out the
* DLT_ values that they can select without changing whether
* the adapter is in monitor mode or not.
*/
p->oldstyle = 1;
status = pcap_activate(p);
if (status < 0)
goto fail;
return (p);
fail:
if (status == PCAP_ERROR)
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", source,
p->errbuf);
else if (status == PCAP_ERROR_NO_SUCH_DEVICE ||
status == PCAP_ERROR_PERM_DENIED ||
status == PCAP_ERROR_PROMISC_PERM_DENIED)
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s (%s)", source,
pcap_statustostr(status), p->errbuf);
else
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", source,
pcap_statustostr(status));
pcap_close(p);
return (NULL);
}
从上面的源码可以看到,pcap_open_live函数首先调用pcap_create函数,这个函数里面的内容待会儿在下面进行分析,然后就是调用pcap_set_snaplen(p, snaplen)函数设置最大捕获包的长度,对于以太网数据包,最大长度为1518bytes,默认的可以设置成65535可以捕获所有的数据包。然后就是调用pcap_set_promisc(p, promisc)函数设置数据包的捕获模式,1为混杂模式(只有混杂模式才能接收所有经过该网卡设备的数据包)。pcap_set_timeout(p, to_ms)的作用是设置超时的时间,当应用程序在这个时间内没读到数据就返回。接着就是pcap_activate(p)函数了,这个也将在后面进行讲解。
在Libpcap源码为了支持多个操作系统,代码错综复杂。对于pcap_create函数,在很多地方都定义了该函数,下面是在source insight软件中的列表。
其源码如下:
pcap_t *
pcap_create(const char *source, char *errbuf)
{
size_t i;
int is_theirs;
pcap_t *p;
/*
* A null source name is equivalent to the "any" device -
* which might not be supported on this platform, but
* this means that you'll get a "not supported" error
* rather than, say, a crash when we try to dereference
* the null pointer.
*/
if (source == NULL)
source = "any";
/*
* Try each of the non-local-network-interface capture
* source types until we find one that works for this
* device or run out of types.
*/
for (i = 0; capture_source_types[i].create_op != NULL; i++) {
is_theirs = 0;
p = capture_source_types[i].create_op(source, errbuf, &is_theirs);
if (is_theirs) {
/*
* The device name refers to a device of the
* type in question; either it succeeded,
* in which case p refers to a pcap_t to
* later activate for the device, or it
* failed, in which case p is null and we
* should return that to report the failure
* to create.
*/
return (p);
}
}
/*
* OK, try it as a regular network interface.
*/
return (pcap_create_interface(source, errbuf));
}
首先,当传入的设备名为空就这是该source = “any”,any 表示所有的设备都能够获取数据包。接着就是用一个for循环来尝试用每个non-local-network-interface捕捉源类型,直到我们发现一种适合该设备或耗尽类型。如果没有找到,则调用pcap_create_interface(source, errbuf))函数的返回结果作为返回值。
下面为pcap_create_interface(source, errbuf)函数的源代码:
#endif /* SO_ATTACH_FILTER */
pcap_t *
pcap_create_interface(const char *device, char *ebuf)
{
pcap_t *handle;
handle = pcap_create_common(device, ebuf, sizeof (struct pcap_linux));
if (handle == NULL)
return NULL;
// pcap_create_common为初始化的函数,通过网卡设备的名字获得pcap_t*的句柄,然后再设定handle的回调函数。
handle->activate_op = pcap_activate_linux;
handle->can_set_rfmon_op = pcap_can_set_rfmon_linux;
#if defined(HAVE_LINUX_NET_TSTAMP_H) && defined(PACKET_TIMESTAMP)
/*
* We claim that we support:
*
* software time stamps, with no details about their precision;
* hardware time stamps, synced to the host time;
* hardware time stamps, not synced to the host time.
*
* XXX - we can't ask a device whether it supports
* hardware time stamps, so we just claim all devices do.
*/
handle->tstamp_type_count = 3;
handle->tstamp_type_list = malloc(3 * sizeof(u_int));
if (handle->tstamp_type_list == NULL) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
pcap_strerror(errno));
free(handle);
return NULL;
}
handle->tstamp_type_list[0] = PCAP_TSTAMP_HOST;
handle->tstamp_type_list[1] = PCAP_TSTAMP_ADAPTER;
handle->tstamp_type_list[2] = PCAP_TSTAMP_ADAPTER_UNSYNCED;
#endif
#if defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS)
/*
* We claim that we support microsecond and nanosecond time
* stamps.
*
* XXX - with adapter-supplied time stamps, can we choose
* microsecond or nanosecond time stamps on arbitrary
* adapters?
*/
handle->tstamp_precision_count = 2;
handle->tstamp_precision_list = malloc(2 * sizeof(u_int));
if (handle->tstamp_precision_list == NULL) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
pcap_strerror(errno));
if (handle->tstamp_type_list != NULL)
free(handle->tstamp_type_list);
free(handle);
return NULL;
}
handle->tstamp_precision_list[0] = PCAP_TSTAMP_PRECISION_MICRO;
handle->tstamp_precision_list[1] = PCAP_TSTAMP_PRECISION_NANO;
#endif /* defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS) */
return handle;
}
为了能够支持不同的设备,pcap_create通过#ifdef进行区分,这样就将打开不同的设备集成在一个函数中,而在我们的应用中就是普通的网卡,所以它就是调用pcap_create_common函数,它在pcap.c中定义,感觉有点混乱,为什么不直接在pcap-linux.c中定义呢,个人观点,应该在pcap-linux中定义,显的直观些,害我跟踪的时候,还要到pcap.c中取找这个函数,因为libpcap还要兼容其它操作系统的原因吧,因为你把它放在pcap-linux.c,其它操作系统调用这个函数,就不方便了,从这一点考虑,libpcap的作者们的架构还是挺不错的。另外定义2个回调函数pcap_activate_linux和pcap_can_set_rfmon_linux函数。Pcap_create函数的返回值为pcap_t*类型的网卡的句柄。既然讲到了pcap_create函数,就必须跟踪到pcap_create_common函数及另外的2个回调函数中去。下面接着看pcap_create_common函数的源码:
pcap_t *
pcap_create_common(const char *source, char *ebuf, size_t size)
{
pcap_t *p;
p = pcap_alloc_pcap_t(ebuf, size);
if (p == NULL)
return (NULL);
p->opt.source = strdup(source);
if (p->opt.source == NULL) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
pcap_strerror(errno));
free(p);
return (NULL);
}
/*
* Default to "can't set rfmon mode"; if it's supported by
* a platform, the create routine that called us can set
* the op to its routine to check whether a particular
* device supports it.
*/
p->can_set_rfmon_op = pcap_cant_set_rfmon;
initialize_ops(p);
/* put in some defaults*/
pcap_set_snaplen(p, MAXIMUM_SNAPLEN); /* max packet size */
p->opt.timeout = 0; /* no timeout specified */
p->opt.buffer_size = 0; /* use the platform's default */
p->opt.promisc = 0;
p->opt.rfmon = 0;
p->opt.immediate = 0;
p->opt.tstamp_type = -1; /* default to not setting time stamp type */
p->opt.tstamp_precision = PCAP_TSTAMP_PRECISION_MICRO;
return (p);
}
首先调用pcap_alloc_pcap_t函数给p分配内存。然后调用strdup函数。它的作用是复制字符串。返回指向被复制的字符串的指针。需要加头文件#include<string.h>。
在p->can_set_rfmon_op = pcap_cant_set_rfmon这句代码中,默认不设置rfmon 模式。而initialize_ops(p)函数的作用就是设置初始化的一系列回调函数。其中initialize_ops(p)函数的源代码如下:
static void
initialize_ops(pcap_t *p)
{
/*
* Set operation pointers for operations that only work on
* an activated pcap_t to point to a routine that returns
* a "this isn't activated" error.
*/
p->read_op = (read_op_t)pcap_not_initialized;
p->inject_op = (inject_op_t)pcap_not_initialized;
p->setfilter_op = (setfilter_op_t)pcap_not_initialized;
p->setdirection_op = (setdirection_op_t)pcap_not_initialized;
p->set_datalink_op = (set_datalink_op_t)pcap_not_initialized;
p->getnonblock_op = (getnonblock_op_t)pcap_not_initialized;
p->setnonblock_op = (setnonblock_op_t)pcap_not_initialized;
p->stats_op = (stats_op_t)pcap_not_initialized;
#ifdef WIN32
p->setbuff_op = (setbuff_op_t)pcap_not_initialized;
p->setmode_op = (setmode_op_t)pcap_not_initialized;
p->setmintocopy_op = (setmintocopy_op_t)pcap_not_initialized;
p->getadapter_op = pcap_no_adapter;
#endif
/*
* Default cleanup operation - implementations can override
* this, but should call pcap_cleanup_live_common() after
* doing their own additional cleanup.
*/
p->cleanup_op = pcap_cleanup_live_common;
/*
* In most cases, the standard one-shot callback can
* be used for pcap_next()/pcap_next_ex().
*/
p->oneshot_callback = pcap_oneshot;
}
pcap_create_common讲解完了,接着讲解pcap_create函数中的另外一个回调函数,pcap_activate_linux。通过搜索。发现在pcap_linux.c这个文件中。在整个pcap的架构中,把linux要用到的函数都集成到pcap_linux.c中,把多个操作系统共用的函数都放到了pcap.c中,例如前面分析的pcap_create_common、pcap_create_interface函数。下面讲解pcap_activate_linux这个源码。从pcap_activate_linux的源码可以看到,通过pcap_create_common对pcap_t * p设定初始值,其实就像c++的初始化函数一样,比如c++的构造函数,MFC的OninitDialog函数一样。初始化就是初始化,对于不同的系统,就要进行不同的设置了,在linux函数中pcap_activate_linux中可以看到又对pcap_create_common中初始化的回调函数又重新进行了设置,看到这里我就佩服libpcap的作者了,把pcap_create_common函数放到了pcap.c文件中。
/*
* Get a handle for a live capture from the given device. You can
* pass NULL as device to get all packages (without link level
* information of course). If you pass 1 as promisc the interface
* will be set to promiscous mode (XXX: I think this usage should
* be deprecated and functions be added to select that later allow
* modification of that values -- Torsten).
*/
static int
pcap_activate_linux(pcap_t *handle)
{
struct pcap_linux *handlep = handle->priv;
const char *device;
struct ifreq ifr;
int status = 0;
int ret;
device = handle->opt.source; //网卡的名字
/*
* Make sure the name we were handed will fit into the ioctls we
* might perform on the device; if not, return a "No such device"
* indication, as the Linux kernel shouldn't support creating
* a device whose name won't fit into those ioctls.
*
* "Will fit" means "will fit, complete with a null terminator",
* so if the length, which does *not* include the null terminator,
* is greater than *or equal to* the size of the field into which
* we'll be copying it, that won't fit.
*/
if (strlen(device) >= sizeof(ifr.ifr_name)) {
status = PCAP_ERROR_NO_SUCH_DEVICE;
goto fail;
}
handle->inject_op = pcap_inject_linux;
handle->setfilter_op = pcap_setfilter_linux;
handle->setdirection_op = pcap_setdirection_linux;
handle->set_datalink_op = pcap_set_datalink_linux;
handle->getnonblock_op = pcap_getnonblock_fd;
handle->setnonblock_op = pcap_setnonblock_fd;
handle->cleanup_op = pcap_cleanup_linux;
handle->read_op = pcap_read_linux;
handle->stats_op = pcap_stats_linux;
/*
* The "any" device is a special device which causes us not
* to bind to a particular device and thus to look at all
* devices.
*/
if (strcmp(device, "any") == 0) {
if (handle->opt.promisc) {
handle->opt.promisc = 0;
/* Just a warning. */
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"Promiscuous mode not supported on the \"any\" device");
status = PCAP_WARNING_PROMISC_NOTSUP;
}
}
handlep->device = strdup(device);
if (handlep->device == NULL) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "strdup: %s",
pcap_strerror(errno) );
return PCAP_ERROR;
}
/* copy timeout value */
handlep->timeout = handle->opt.timeout;
/*
* If we're in promiscuous mode, then we probably want
* to see when the interface drops packets too, so get an
* initial count from /proc/net/dev
*/
if (handle->opt.promisc)
handlep->proc_dropped = linux_if_drops(handlep->device);
/*
* Current Linux kernels use the protocol family PF_PACKET to
* allow direct access to all packets on the network while
* older kernels had a special socket type SOCK_PACKET to
* implement this feature.
* While this old implementation is kind of obsolete we need
* to be compatible with older kernels for a while so we are
* trying both methods with the newer method preferred.
*/
//现在的内核是采用的PF_PACKET。对于以前的内核采用SOCK_PACKET
ret = activate_new(handle);
//activate_new函数的作用在没有定义PF_RING的情况下通过PF_PACKET接口建立socket,返回1表示成功,可以采用PF_PACKET建立socket,返回0表示失败,这时可以尝试采用SOCKET_PACKET接口建立socket,该函数也在pcap-linux.c中可以找到源码;根据status的返回值,确定3种不同的情况,返回1成功,表示采用的是PF_PACKET建立socket,而返回0的时候,又调用activate_old函数进行判断,如果activate_old函数返回1表示调用的是SOCK_PACKET建立socket,而activate_old返回0表示失败;第3种情况是status不等于上面的2个值,则表示失败。在下面将详细分析activate_new函数。
if (ret < 0) {
/*
* Fatal error with the new way; just fail.
* ret has the error return; if it's PCAP_ERROR,
* handle->errbuf has been set appropriately.
*/
status = ret;
goto fail;
}
if (ret == 1) {
/*
* Success.
* Try to use memory-mapped access.
*/
switch (activate_mmap(handle, &status)) {
case 1:
/*
* We succeeded. status has been
* set to the status to return,
* which might be 0, or might be
* a PCAP_WARNING_ value.
*/
return status;
case 0:
/*
* Kernel doesn't support it - just continue
* with non-memory-mapped access.
*/
break;
case -1:
/*
* We failed to set up to use it, or the kernel
* supports it, but we failed to enable it.
* ret has been set to the error status to
* return and, if it's PCAP_ERROR, handle->errbuf
* contains the error message.
*/
status = ret;
goto fail;
}
}
else if (ret == 0) {
/* Non-fatal error; try old way */
if ((ret = activate_old(handle)) != 1) {
/*
* Both methods to open the packet socket failed.
* Tidy up and report our failure (handle->errbuf
* is expected to be set by the functions above).
*/
status = ret;
goto fail;
}
}
/*
* We set up the socket, but not with memory-mapped access.
*/
if (handle->opt.buffer_size != 0) {
//如果buffer_size不为0,pcap_set_buffer_size设置了内核缓冲区的大小,而不是采用默认的内核缓冲区,因此首先通过setsockopt发送设置命令,然后调用malloc分配内存
/*
* Set the socket buffer size to the specified value.
*/
if (setsockopt(handle->fd, SOL_SOCKET, SO_RCVBUF,
&handle->opt.buffer_size,
sizeof(handle->opt.buffer_size)) == -1) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"SO_RCVBUF: %s", pcap_strerror(errno));
status = PCAP_ERROR;
goto fail;
}
}
/* Allocate the buffer */
handle->buffer = malloc(handle->bufsize + handle->offset);
if (!handle->buffer) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
status = PCAP_ERROR;
goto fail;
}
/*
* "handle->fd" is a socket, so "select()" and "poll()"
* should work on it.
*/
handle->selectable_fd = handle->fd;
return status;
fail:
pcap_cleanup_linux(handle);
return status;
}
pcap_activate_linux函数分析完了。但是其到底是怎么建立通讯的还不是很清楚,现在进入activate_new函数进行分析,其源码如下:
/* ===== Functions to interface to the newer kernels ================== */
/*
* Try to open a packet socket using the new kernel PF_PACKET interface.
* Returns 1 on success, 0 on an error that means the new interface isn't
* present (so the old SOCK_PACKET interface should be tried), and a
* PCAP_ERROR_ value on an error that means that the old mechanism won't
* work either (so it shouldn't be tried).
*/
static int
activate_new(pcap_t *handle)
{
#ifdef HAVE_PF_PACKET_SOCKETS
struct pcap_linux *handlep = handle->priv;
const char *device = handle->opt.source;
int is_any_device = (strcmp(device, "any") == 0);
int sock_fd = -1, arptype;
#ifdef HAVE_PACKET_AUXDATA
int val;
#endif
int err = 0;
struct packet_mreq mr;
/*
* Open a socket with protocol family packet. If the
* "any" device was specified, we open a SOCK_DGRAM
* socket for the cooked interface, otherwise we first
* try a SOCK_RAW socket for the raw interface.
*/
sock_fd = is_any_device ?
socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) :
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
// 建立socket。当网卡设备名为any的时候用SOCK_DGRAM,当不为any时用SOCK_RAM 来建立。至于后面的通信就是在这里开始的。基于该socket描述符。在下面肯定有bind函数。
if (sock_fd == -1) {
if (errno == EINVAL || errno == EAFNOSUPPORT) {
/*
* We don't support PF_PACKET/SOCK_whatever
* sockets; try the old mechanism.
*/
return 0;
}
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "socket: %s",
pcap_strerror(errno) );
if (errno == EPERM || errno == EACCES) {
/*
* You don't have permission to open the
* socket.
*/
return PCAP_ERROR_PERM_DENIED;
} else {
/*
* Other error.
*/
return PCAP_ERROR;
}
}
/* It seems the kernel supports the new interface. */
handlep->sock_packet = 0;
/*
* Get the interface index of the loopback device.
* If the attempt fails, don't fail, just set the
* "handlep->lo_ifindex" to -1.
*
* XXX - can there be more than one device that loops
* packets back, i.e. devices other than "lo"? If so,
* we'd need to find them all, and have an array of
* indices for them, and check all of them in
* "pcap_read_packet()".
*/
handlep->lo_ifindex = iface_get_id(sock_fd, "lo", handle->errbuf);
/*
* Default value for offset to align link-layer payload
* on a 4-byte boundary.
*/
handle->offset = 0;
/*
* What kind of frames do we have to deal with? Fall back
* to cooked mode if we have an unknown interface type
* or a type we know doesn't work well in raw mode.
*/
if (!is_any_device) {
/* Assume for now we don't need cooked mode. */
handlep->cooked = 0;
if (handle->opt.rfmon) {
/*
* We were asked to turn on monitor mode.
* Do so before we get the link-layer type,
* because entering monitor mode could change
* the link-layer type.
*/
err = enter_rfmon_mode(handle, sock_fd, device);
if (err < 0) {
/* Hard failure */
close(sock_fd);
return err;
}
if (err == 0) {
/*
* Nothing worked for turning monitor mode
* on.
*/
close(sock_fd);
return PCAP_ERROR_RFMON_NOTSUP;
}
/*
* Either monitor mode has been turned on for
* the device, or we've been given a different
* device to open for monitor mode. If we've
* been given a different device, use it.
*/
if (handlep->mondevice != NULL)
device = handlep->mondevice;
}
arptype = iface_get_arptype(sock_fd, device, handle->errbuf);
if (arptype < 0) {
close(sock_fd);
return arptype;
}
map_arphrd_to_dlt(handle, arptype, device, 1);
if (handle->linktype == -1 ||
handle->linktype == DLT_LINUX_SLL ||
handle->linktype == DLT_LINUX_IRDA ||
handle->linktype == DLT_LINUX_LAPD ||
handle->linktype == DLT_NETLINK ||
(handle->linktype == DLT_EN10MB &&
(strncmp("isdn", device, 4) == 0 ||
strncmp("isdY", device, 4) == 0))) {
/*
* Unknown interface type (-1), or a
* device we explicitly chose to run
* in cooked mode (e.g., PPP devices),
* or an ISDN device (whose link-layer
* type we can only determine by using
* APIs that may be different on different
* kernels) - reopen in cooked mode.
*/
if (close(sock_fd) == -1) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"close: %s", pcap_strerror(errno));
return PCAP_ERROR;
}
sock_fd = socket(PF_PACKET, SOCK_DGRAM,
htons(ETH_P_ALL));
if (sock_fd == -1) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"socket: %s", pcap_strerror(errno));
if (errno == EPERM || errno == EACCES) {
/*
* You don't have permission to
* open the socket.
*/
return PCAP_ERROR_PERM_DENIED;
} else {
/*
* Other error.
*/
return PCAP_ERROR;
}
}
handlep->cooked = 1;
/*
* Get rid of any link-layer type list
* we allocated - this only supports cooked
* capture.
*/
if (handle->dlt_list != NULL) {
free(handle->dlt_list);
handle->dlt_list = NULL;
handle->dlt_count = 0;
}
if (handle->linktype == -1) {
/*
* Warn that we're falling back on
* cooked mode; we may want to
* update "map_arphrd_to_dlt()"
* to handle the new type.
*/
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"arptype %d not "
"supported by libpcap - "
"falling back to cooked "
"socket",
arptype);
}
/*
* IrDA capture is not a real "cooked" capture,
* it's IrLAP frames, not IP packets. The
* same applies to LAPD capture.
*/
if (handle->linktype != DLT_LINUX_IRDA &&
handle->linktype != DLT_LINUX_LAPD &&
handle->linktype != DLT_NETLINK)
handle->linktype = DLT_LINUX_SLL;
}
handlep->ifindex = iface_get_id(sock_fd, device,
handle->errbuf);
if (handlep->ifindex == -1) {
close(sock_fd);
return PCAP_ERROR;
}
//在这里出现了iface_bind函数。在该函数里面bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1进行绑定。
if ((err = iface_bind(sock_fd, handlep->ifindex,
handle->errbuf)) != 1) {
close(sock_fd);
if (err < 0)
return err;
else
return 0; /* try old mechanism */
}
} else {
/*
* The "any" device.
*/
if (handle->opt.rfmon) {
/*
* It doesn't support monitor mode.
*/
close(sock_fd);
return PCAP_ERROR_RFMON_NOTSUP;
}
/*
* It uses cooked mode.
*/
handlep->cooked = 1;
handle->linktype = DLT_LINUX_SLL;
/*
* We're not bound to a device.
* For now, we're using this as an indication
* that we can't transmit; stop doing that only
* if we figure out how to transmit in cooked
* mode.
*/
handlep->ifindex = -1;
}
/*
* Select promiscuous mode on if "promisc" is set.
*
* Do not turn allmulti mode on if we don't select
* promiscuous mode - on some devices (e.g., Orinoco
* wireless interfaces), allmulti mode isn't supported
* and the driver implements it by turning promiscuous
* mode on, and that screws up the operation of the
* card as a normal networking interface, and on no
* other platform I know of does starting a non-
* promiscuous capture affect which multicast packets
* are received by the interface.
*/
/*
* Hmm, how can we set promiscuous mode on all interfaces?
* I am not sure if that is possible at all. For now, we
* silently ignore attempts to turn promiscuous mode on
* for the "any" device (so you don't have to explicitly
* disable it in programs such as tcpdump).
*/
if (!is_any_device && handle->opt.promisc) {
memset(&mr, 0, sizeof(mr));
mr.mr_ifindex = handlep->ifindex;
mr.mr_type = PACKET_MR_PROMISC;
if (setsockopt(sock_fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP,
&mr, sizeof(mr)) == -1) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"setsockopt: %s", pcap_strerror(errno));
close(sock_fd);
return PCAP_ERROR;
}
}
/* Enable auxillary data if supported and reserve room for
* reconstructing VLAN headers. */
#ifdef HAVE_PACKET_AUXDATA
val = 1;
if (setsockopt(sock_fd, SOL_PACKET, PACKET_AUXDATA, &val,
sizeof(val)) == -1 && errno != ENOPROTOOPT) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"setsockopt: %s", pcap_strerror(errno));
close(sock_fd);
return PCAP_ERROR;
}
handle->offset += VLAN_TAG_LEN;
#endif /* HAVE_PACKET_AUXDATA */
/*
* This is a 2.2[.x] or later kernel (we know that
* because we're not using a SOCK_PACKET socket -
* PF_PACKET is supported only in 2.2 and later
* kernels).
*
* We can safely pass "recvfrom()" a byte count
* based on the snapshot length.
*
* If we're in cooked mode, make the snapshot length
* large enough to hold a "cooked mode" header plus
* 1 byte of packet data (so we don't pass a byte
* count of 0 to "recvfrom()").
*/
if (handlep->cooked) {
if (handle->snapshot < SLL_HDR_LEN + 1)
handle->snapshot = SLL_HDR_LEN + 1;
}
handle->bufsize = handle->snapshot;
/*
* Set the offset at which to insert VLAN tags.
*/
switch (handle->linktype) {
case DLT_EN10MB:
handlep->vlan_offset = 2 * ETH_ALEN;
break;
case DLT_LINUX_SLL:
handlep->vlan_offset = 14;
break;
default:
handlep->vlan_offset = -1; /* unknown */
break;
}
#if defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS)
if (handle->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO) {
int nsec_tstamps = 1;
if (setsockopt(sock_fd, SOL_SOCKET, SO_TIMESTAMPNS, &nsec_tstamps, sizeof(nsec_tstamps)) < 0) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "setsockopt: unable to set SO_TIMESTAMPNS");
close(sock_fd);
return PCAP_ERROR;
}
}
#endif /* defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS) */
/*
* We've succeeded. Save the socket FD in the pcap structure.
*/
handle->fd = sock_fd;
return 1;
#else /* HAVE_PF_PACKET_SOCKETS */
strlcpy(ebuf,
"New packet capturing interface not supported by build "
"environment", PCAP_ERRBUF_SIZE);
return 0;
#endif /* HAVE_PF_PACKET_SOCKETS */
}
在activate_new函数中,主要涉及到socket的创建与bind。下面将pcap_activate_linux函数中定义的重要回调函数罗列出来:
handle->inject_op = pcap_inject_linux;
handle->setfilter_op = pcap_setfilter_linux;
handle->setdirection_op = pcap_setdirection_linux;
handle->set_datalink_op = pcap_set_datalink_linux;
handle->getnonblock_op = pcap_getnonblock_fd;
handle->setnonblock_op = pcap_setnonblock_fd;
handle->cleanup_op = pcap_cleanup_linux;
handle->read_op = pcap_read_linux;
handle->stats_op = pcap_stats_linux;
其中一个重要的回调函数就是pcap_read_linux。进入其源码,如下:
/*
* Read at most max_packets from the capture stream and call the callback
* for each of them. Returns the number of packets handled or -1 if an
* error occured.
*/
static int
pcap_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
{
/*
* Currently, on Linux only one packet is delivered per read,
* so we don't loop.
*/
return pcap_read_packet(handle, callback, user);
}
其中就只有一句,return pcap_read_packet(handle, callback, user)。调用pcap_read_packet读取数据包。在该函数中,初步断定是在后面的pcap_next、pcap_dispatch、pcap_loop这几个函数读包时调用的。下面开始分析pcap_read_packet函数,源码如下:
/*
* Read a packet from the socket calling the handler provided by
* the user. Returns the number of packets received or -1 if an
* error occured.
*/
static int
pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata)
{
struct pcap_linux *handlep = handle->priv;
u_char *bp; //数据包缓冲区指针
int offset;
//bp与捕获句柄pcap_t中handle->buffer之间的偏移量,其目的是为再加工模式捕获情况下,为合成的伪数据链路层头部流出空间
//PACKET_SOCKET方式下,recvfrom()返回sockeaddr_ll类型,而在SOCK_PACKET方式下返回sockaddr类型
#ifdef HAVE_PF_PACKET_SOCKETS
struct sockaddr_ll from;
struct sll_header *hdrp;
#else
struct sockaddr from;
#endif
#if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI)
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg;
union {
struct cmsghdr cmsg;
char buf[CMSG_SPACE(sizeof(struct tpacket_auxdata))];
} cmsg_buf;
#else /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */
socklen_t fromlen;
#endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */
int packet_len, caplen;
struct pcap_pkthdr pcap_header;
//libpcap自定义的头部,pcap_pkthdr结构体如下:
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
该结构体主要记录时间戳、抓取的数据包以及数据包长度。通常后两者的长度是一样的。
#ifdef HAVE_PF_PACKET_SOCKETS
/*
* If this is a cooked device, leave extra room for a
* fake packet header.
*/
//如果是加工模式,则在合成的链路层头部留出空间
if (handlep->cooked)
offset = SLL_HDR_LEN;
//其他两种方式下,链路层头部不做修改返回,不需要留出空间
else
offset = 0;
#else
/*
* This system doesn't have PF_PACKET sockets, so it doesn't
* support cooked devices.
*/
offset = 0;
#endif
/*
* Receive a single packet from the kernel.
* We ignore EINTR, as that might just be due to a signal
* being delivered - if the signal should interrupt the
* loop, the signal handler should call pcap_breakloop()
* to set handle->break_loop (we ignore it on other
* platforms as well).
* We also ignore ENETDOWN, so that we can continue to
* capture traffic if the interface goes down and comes
* back up again; comments in the kernel indicate that
* we'll just block waiting for packets if we try to
* receive from a socket that delivered ENETDOWN, and,
* if we're using a memory-mapped buffer, we won't even
* get notified of "network down" events.
*/
bp = handle->buffer + handle->offset;
#if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI)
msg.msg_name = &from;
msg.msg_namelen = sizeof(from);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = &cmsg_buf;
msg.msg_controllen = sizeof(cmsg_buf);
msg.msg_flags = 0;
iov.iov_len = handle->bufsize - offset;
iov.iov_base = bp + offset;
#endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */
do {
/*
* Has "pcap_breakloop()" been called?
*/
if (handle->break_loop) {
/*
* Yes - clear the flag that indicates that it has,
* and return PCAP_ERROR_BREAK as an indication that
* we were told to break out of the loop.
*/
handle->break_loop = 0;
return PCAP_ERROR_BREAK;
}
#if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI)
packet_len = recvmsg(handle->fd, &msg, MSG_TRUNC);
//在这里以及后面的recvfrom函数,说明了定义不同的类型,其接受的数据的方式是不一样的。
#else /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */
fromlen = sizeof(from);
//从内核中接收一个数据包,注意函数入参中对bp的位置的修正
packet_len = recvfrom(
handle->fd, bp + offset,
handle->bufsize - offset, MSG_TRUNC,
(struct sockaddr *) &from, &fromlen);
#endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */
} while (packet_len == -1 && errno == EINTR);
/* Check if an error occured */
if (packet_len == -1) {
switch (errno) {
case EAGAIN:
return 0; /* no packet there */
case ENETDOWN:
/*
* The device on which we're capturing went away.
*
* XXX - we should really return
* PCAP_ERROR_IFACE_NOT_UP, but pcap_dispatch()
* etc. aren't defined to return that.
*/
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"The interface went down");
return PCAP_ERROR;
default:
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"recvfrom: %s", pcap_strerror(errno));
return PCAP_ERROR;
}
}
#ifdef HAVE_PF_PACKET_SOCKETS
//
if (!handlep->sock_packet) {
/*
* Unfortunately, there is a window between socket() and
* bind() where the kernel may queue packets from any
* interface. If we're bound to a particular interface,
* discard packets not from that interface.
*
* (If socket filters are supported, we could do the
* same thing we do when changing the filter; however,
* that won't handle packet sockets without socket
* filter support, and it's a bit more complicated.
* It would save some instructions per packet, however.)
*/
if (handlep->ifindex != -1 &&
from.sll_ifindex != handlep->ifindex)
return 0;
/*
* Do checks based on packet direction.
* We can only do this if we're using PF_PACKET; the
* address returned for SOCK_PACKET is a "sockaddr_pkt"
* which lacks the relevant packet type information.
*/
if (!linux_check_direction(handle, &from))
return 0;
}
#endif
#ifdef HAVE_PF_PACKET_SOCKETS
/*
* If this is a cooked device, fill in the fake packet header.
*/
//如果是加工模式,则合成伪链路层头部
if (handlep->cooked) {
/*
* Add the length of the fake header to the length
* of packet data we read.
*/
//首先修正捕获包数据的长度,加上链路层头部的长度
packet_len += SLL_HDR_LEN;
hdrp = (struct sll_header *)bp;
hdrp->sll_pkttype = map_packet_type_to_sll_type(from.sll_pkttype);
hdrp->sll_hatype = htons(from.sll_hatype);
hdrp->sll_halen = htons(from.sll_halen);
memcpy(hdrp->sll_addr, from.sll_addr,
(from.sll_halen > SLL_ADDRLEN) ?
SLL_ADDRLEN :
from.sll_halen);
hdrp->sll_protocol = from.sll_protocol;
}
#if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI)
if (handlep->vlan_offset != -1) {
for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
struct tpacket_auxdata *aux;
unsigned int len;
struct vlan_tag *tag;
if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct tpacket_auxdata)) ||
cmsg->cmsg_level != SOL_PACKET ||
cmsg->cmsg_type != PACKET_AUXDATA)
continue;
aux = (struct tpacket_auxdata *)CMSG_DATA(cmsg);
#if defined(TP_STATUS_VLAN_VALID)
if ((aux->tp_vlan_tci == 0) && !(aux->tp_status & TP_STATUS_VLAN_VALID))
#else
if (aux->tp_vlan_tci == 0) /* this is ambigious but without the
TP_STATUS_VLAN_VALID flag, there is
nothing that we can do */
#endif
continue;
len = packet_len > iov.iov_len ? iov.iov_len : packet_len;
if (len < (unsigned int) handlep->vlan_offset)
break;
bp -= VLAN_TAG_LEN;
memmove(bp, bp + VLAN_TAG_LEN, handlep->vlan_offset);
tag = (struct vlan_tag *)(bp + handlep->vlan_offset);
tag->vlan_tpid = htons(ETH_P_8021Q);
tag->vlan_tci = htons(aux->tp_vlan_tci);
packet_len += VLAN_TAG_LEN;
}
}
#endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */
#endif /* HAVE_PF_PACKET_SOCKETS */
/*
* XXX: According to the kernel source we should get the real
* packet len if calling recvfrom with MSG_TRUNC set. It does
* not seem to work here :(, but it is supported by this code
* anyway.
* To be honest the code RELIES on that feature so this is really
* broken with 2.2.x kernels.
* I spend a day to figure out what's going on and I found out
* that the following is happening:
*
* The packet comes from a random interface and the packet_rcv
* hook is called with a clone of the packet. That code inserts
* the packet into the receive queue of the packet socket.
* If a filter is attached to that socket that filter is run
* first - and there lies the problem. The default filter always
* cuts the packet at the snaplen:
*
* # tcpdump -d
* (000) ret #68
*
* So the packet filter cuts down the packet. The recvfrom call
* says "hey, it's only 68 bytes, it fits into the buffer" with
* the result that we don't get the real packet length. This
* is valid at least until kernel 2.2.17pre6.
*
* We currently handle this by making a copy of the filter
* program, fixing all "ret" instructions with non-zero
* operands to have an operand of MAXIMUM_SNAPLEN so that the
* filter doesn't truncate the packet, and supplying that modified
* filter to the kernel.
*/
//修正捕获的数据包的成都,根据前面的讨论,SOCK_PACKET方式下长度可能是不准确的
caplen = packet_len;
if (caplen > handle->snapshot)
caplen = handle->snapshot;
/* Run the packet filter if not using kernel filter */
//如果没有使用内核级的包过滤,则在用户空间进行过滤
if (handlep->filter_in_userland && handle->fcode.bf_insns) {
if (bpf_filter(handle->fcode.bf_insns, bp,
packet_len, caplen) == 0)
{
/* rejected by filter */
//没有通过过滤,数据包被丢弃
return 0;
}
}
/* Fill in our own header data */
//填充libpcap自定义数据包头部数据:捕获时间,捕获的成都,真实的长度
/* get timestamp for this packet */
#if defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS)
if (handle->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO) {
if (ioctl(handle->fd, SIOCGSTAMPNS, &pcap_header.ts) == -1) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"SIOCGSTAMPNS: %s", pcap_strerror(errno));
return PCAP_ERROR;
}
} else
#endif
{
if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
"SIOCGSTAMP: %s", pcap_strerror(errno));
return PCAP_ERROR;
}
}
pcap_header.caplen = caplen;
pcap_header.len = packet_len;
/*
* Count the packet.
*
* Arguably, we should count them before we check the filter,
* as on many other platforms "ps_recv" counts packets
* handed to the filter rather than packets that passed
* the filter, but if filtering is done in the kernel, we
* can't get a count of packets that passed the filter,
* and that would mean the meaning of "ps_recv" wouldn't
* be the same on all Linux systems.
*
* XXX - it's not the same on all systems in any case;
* ideally, we should have a "get the statistics" call
* that supplies more counts and indicates which of them
* it supplies, so that we supply a count of packets
* handed to the filter only on platforms where that
* information is available.
*
* We count them here even if we can get the packet count
* from the kernel, as we can only determine at run time
* whether we'll be able to get it from the kernel (if
* HAVE_TPACKET_STATS isn't defined, we can't get it from
* the kernel, but if it is defined, the library might
* have been built with a 2.4 or later kernel, but we
* might be running on a 2.2[.x] kernel without Alexey
* Kuznetzov's turbopacket patches, and thus the kernel
* might not be able to supply those statistics). We
* could, I guess, try, when opening the socket, to get
* the statistics, and if we can not increment the count
* here, but it's not clear that always incrementing
* the count is more expensive than always testing a flag
* in memory.
*
* We keep the count in "handlep->packets_read", and use that
* for "ps_recv" if we can't get the statistics from the kernel.
* We do that because, if we *can* get the statistics from
* the kernel, we use "handlep->stat.ps_recv" and
* "handlep->stat.ps_drop" as running counts, as reading the
* statistics from the kernel resets the kernel statistics,
* and if we directly increment "handlep->stat.ps_recv" here,
* that means it will count packets *twice* on systems where
* we can get kernel statistics - once here, and once in
* pcap_stats_linux().
*/
//累加捕获数据包数目,注意到在不同内核和捕获方式情况下数目可能不准确
handlep->packets_read++;
/* Call the user supplied callback function */
//调用用户定义的回调函数
callback(userdata, &pcap_header, bp);
return 1;
}
一直将怎个源码看一下,发现其中最主要的还是对数据包的接收,以及对其中的数据的收集整理,计数等操作。
在前面的几十页中,pcap_open_live还没有讲解完。就分析了其中的调用的一个pcap_create函数。这也体现了Libpcap的强大之处。下面将分析 pcap_open_live中的另一个函数pcap_activate(p)。其源码如下:
int
pcap_activate(pcap_t *p)
{
int status;
/*
* Catch attempts to re-activate an already-activated
* pcap_t; this should, for example, catch code that
* calls pcap_open_live() followed by pcap_activate(),
* as some code that showed up in a Stack Exchange
* question did.
*/
if (pcap_check_activated(p))
return (PCAP_ERROR_ACTIVATED);
status = p->activate_op(p);
//activate_op函数,通过搜索其原型为函数指针。它的初始化赋值在pcap-linux.c下410行。handle->activate_op = pcap_activate_linux;明白了在pcap_create中定义的pcap_activate_linux函数中赋值的回调函数activate_op终于在这里调用了。在pcap_create中只是赋值定义了该回调函数,而调用就是在这里。
if (status >= 0)
p->activated = 1;
else {
if (p->errbuf[0] == '\0') {
/*
* No error message supplied by the activate routine;
* for the benefit of programs that don't specially
* handle errors other than PCAP_ERROR, return the
* error message corresponding to the status.
*/
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s",
pcap_statustostr(status));
}
/*
* Undo any operation pointer setting, etc. done by
* the activate operation.
*/
initialize_ops(p);
}
return (status);
}
Pcap_open_live函数到现在终于分析完了。其实就pcap_create和pcap_activate两个函数。在pcap_create中主要是socket的建立和绑定。而在pcap_activate中定义的是接收消息回调函数的定义。接下来对pcap_loop函数的分析,其中肯定必定会调用该回调函数pcap_read_linux。在该回调函数中pcap_read_packet读取数据包。
4.3获取数据包
通过前面的分析,下面将讲解如何获取数据包,以及用户回调函数的处理。那就是pcap_loop函数。其源码如下:
int
pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
{
register int n;
for (;;) {
//读取本地文件。
if (p->rfile != NULL) {
/*
* 0 means EOF, so don't loop if we get 0.
*/
n = pcap_offline_read(p, cnt, callback, user);
} else {
/*
* XXX keep reading until we get something
* (or an error occurs)
*/
do {
n = p->read_op(p, cnt, callback, user);
} while (n == 0);
}
if (n <= 0)
return (n);
if (!PACKET_COUNT_IS_UNLIMITED(cnt)) {
cnt -= n;
if (cnt <= 0)
return (0);
}
}
}
首先通过判断rfile是否为空,为空,则进行后面的数据包的获取。不为空就处理本地文件的读取。p->read_op(p, cnt, callback, user)回调函数。搜索整个工程,发现其位于pcap-linux.c函数的1265行。在这行定义的回调函数,终于在这里进行了调用。该回调函数的分析在上面已经进行分析了,主要是获取数据包。也都详细的讲解了。在最后又一个callback(userdata, &pcap_header, bp);函数,是调用用户自定义的回调函数。最后通过处理用户传送的捕获数据长度的参数,当cnt为有限的时候就行减操作,知道小于等于0时,其代码如下:
if (!PACKET_COUNT_IS_UNLIMITED(cnt)) {
cnt -= n;
if (cnt <= 0)
return (0);
}
-
libpcap源码及分析
2010-08-14 13:14:16包含linux下libpcap源码以及源码分析文档 -
libpcap源码分析——pcap_open_live
2019-12-26 16:16:34libpcap是跨平台网络数据包捕获函数库... 以下分析源码时只列出核心逻辑 API: pcap_open_live 描述: 针对指定的网络接口创建一个捕获句柄,用于后续捕获数据 实现逻辑分析: @device- 指定网络接口名,比如"eth0"...展开全文libpcap是跨平台网络数据包捕获函数库:
注: 以下分析都基于libpcap-1.8.1版本进行
以下分析按照库的核心API为线索展开
以下分析源码时只列出核心逻辑API: pcap_open_live
描述: 针对指定的网络接口创建一个捕获句柄,用于后续捕获数据
实现逻辑分析:
@device - 指定网络接口名,比如"eth0"。如果传入NULL或"any",则意味着对所有接口进行捕获
@snaplen - 设置每个数据包的捕捉长度,上限MAXIMUM_SNAPLEN
@promisc - 是否打开混杂模式
@to_ms - 设置获取数据包时的超时时间(ms)
备注:to_ms值会影响3个捕获函数(pcap_next、pcap_loop、pcap_dispatch)的行为
pcap_t *pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf) { pcap_t *p; // 基于指定的设备接口创建一个pcap句柄 p = pcap_create(device, errbuf); // 设置最大捕获包的长度 status = pcap_set_snaplen(p, snaplen); // 设置数据包的捕获模式 status = pcap_set_promisc(p, promisc); // 设置执行捕获操作的持续时间 status = pcap_set_timeout(p, to_ms); // 使指定pcap句柄进入活动状态,这里实际包含了创建捕获套接字的动作 status = pcap_activate(p); return p; } pcap_t *pcap_create(const char *device, char *errbuf) { pcap_t *p; char *device_str; // 转储传入的设备名,如果传入NULL,则设置为"any" if (device == NULL) device_str = strdup("any"); else device_str = strdup(device); // 创建一个普通网络接口类型的pcap句柄 p = pcap_create_interface(device_str, errbuf); p->opt.device = device_str; return p; } pcap_t *pcap_create_interface(const char *device, char *ebuf) { pcap_t *handle; // 创建并初始化一个包含私有空间struct pcap_linux的pcap句柄 handle = pcap_create_common(ebuf, sizeof (struct pcap_linux)); // 在刚创建了该pcap句柄后,这里首先覆盖了2个回调函数 handle->activate_op = pcap_activate_linux; handle->can_set_rfmon_op = pcap_can_set_rfmon_linux; } pcap_t *pcap_create_common(char *ebuf, size_t size) { pcap_t *p; // 申请一片连续内存,用作包含size长度私有空间的pcap句柄,其中私有空间紧跟在该pcap结构后 p = pcap_alloc_pcap_t(ebuf, size); // 为新建的pcap句柄注册一系列缺省的回调函数,这些缺省的回调函数大部分会在后面覆盖为linux下对应回调函数 p->can_set_rfmon_op = pcap_cant_set_rfmon; initialize_ops(p); return p; } int pcap_set_snaplen(pcap_t *p, int snaplen) { // 设置该pcap句柄捕获包的最大长度前,需要确保当前并未处于活动状态 if (pcap_check_activated(p)) return (PCAP_ERROR_ACTIVATED); // 如果传入了无效的最大包长,则会设置为缺省值 if (snaplen <= 0 || snaplen > MAXIMUM_SNAPLEN) snaplen = MAXIMUM_SNAPLEN; p->snapshot = snaplen; } int pcap_set_promisc(pcap_t *p, int promisc) { // 设置该pcap句柄关联接口的数据包捕获模式前,需要确保当前并未处于活动状态 if (pcap_check_activated(p)) return (PCAP_ERROR_ACTIVATED); p->opt.promisc = promisc; } int pcap_set_timeout(pcap_t *p, int timeout_ms) { // 设置该pcap句柄执行捕获操作的持续时间前,需要确保当前并未处于活动状态 if (pcap_check_activated(p)) return (PCAP_ERROR_ACTIVATED); p->opt.timeout = timeout_ms; } int pcap_activate(pcap_t *p) { int status; // 确保没有进行重复激活 if (pcap_check_activated(p)) return (PCAP_ERROR_ACTIVATED); // 调用事先注册的activate_op方法,完成对该pcap句柄的激活,这个过程中会创建用于捕获的套接字,以及尝试开启PACKET_MMAP机制 status = p->activate_op(p); return status; } int pcap_activate_linux(pcap_t *handle) { int status; // 获取该pcap句柄的私有空间 struct pcap_linux *handlep = handle->priv; device = handle->opt.device; // 为该pcap句柄注册linux平台相关的一系列回调函数(linux平台的回调函数又分为2组,这里缺省注册了一组不使用PACKET_MMAP机制的回调) handle->inject_op = pcap_inject_linux; handle->setfilter_op = pcap_setfilter_linux; handle->setdirection_op = pcap_setdirection_linux; handle->set_datalink_op = pcap_set_datalink_linux; handle->getnonblock_op = pcap_getnonblock_fd; handle->setnonblock_op = pcap_setnonblock_fd; handle->cleanup_op = pcap_cleanup_linux; handle->read_op = pcap_read_linux; handle->stats_op = pcap_stats_linux; // "any"设备不支持混杂模式 if (strcmp(device, "any") == 0) { if (handle->opt.promisc) handle->opt.promisc = 0; } handlep->device = strdup(device); handlep->timeout = handle->opt.timeout; // 开启混杂模式的接口,需要先从/proc/net/dev中获取该接口当前"drop"报文数量 if (handle->opt.promisc) handlep->proc_dropped = linux_if_drops(handlep->device); /* 创建用于捕获接口收到的原始报文的套接字 * 备注:旧版本的kernel使用SOCK_PACKET类型套接字来实现对原始报文的捕获,这种过时的方式不再展开分析 * 较新的kernel使用PF_PACKET来实现该功能 */ ret = activate_new(handle); // 这里只分析成功使用PF_PACKET创建套接字的情况 if (ret == 1) { /* 尝试对新创建的套接字开启PACKET_MMAP功能 * 备注:旧版本的kernel不支持开启PACKET_MMAP功能,所以只能作为普通的原始套接字使用 * 较新版本的kernel逐渐开始支持v1、v2、v3版本的PACKET_MMAP,这里将会尝试开启当前系统支持的最高版本PACKET_MMAP */ switch (activate_mmap(handle, &status)) { case 1: // 返回1意味着成功开启PACKET_MMAP功能,这里是为poll选择一个合适的超时时间 set_poll_timeout(handlep); return status; case 0: // 返回0意味着kernel不支持PACKET_MMAP break; } } /* 程序运行到这里只有2种可能: * 通过新式的PF_PACKET创建了套接字,但不支持PACKET_MMAP特性时 * 通过老式的SOCKET_PACKET创建了套接字之后 */ // 如果配置了套接字接收缓冲区长度,就在这里进行设置 if (handle->opt.buffer_size != 0) { setsockopt(handle->fd, SOL_SOCKET, SO_RCVBUF,&handle->opt.buffer_size,sizeof(handle->opt.buffer_size)); } // 不开启PACKET_MMAP的情况下,就在这里分配用户空间接收缓冲区 handle->buffer = malloc(handle->bufsize + handle->offset); handle->selectable_fd = handle->fd; } int activate_new(pcap_t *handle) { struct pcap_linux *handlep = handle->priv; const char *device = handle->opt.device; int is_any_device = (strcmp(device, "any") == 0); struct packet_mreq mr; // 如果是名为"any"的接口,则创建SOCK_DGRAM类型的套接字;通常情况下都是创建SOCK_RAW类型的套接字 sock_fd = is_any_device ? socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) : socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); // 记录下环回接口的序号 handlep->lo_ifindex = iface_get_id(sock_fd, "lo", handle->errbuf); handle->offset = 0; // 对于接口名不是"any"的接口,如果其接口类型未定义或者属于一种不支持工作在raw模式下的接口,这些接口仍旧要回退到cooked模式 if (!is_any_device) { // 获取该接口的硬件类型,linux中专门用ARPHRD_*来标识设备接口类型 arptype = iface_get_arptype(sock_fd, device, handle->errbuf); /* pcap中使用DLT_*来标识设备接口,所以这里就是将ARPHRD_*映射成对应的DLT_* * 除此之外,还会根据接口类型修改offset,从而确保 offset + 2层头长度 实现4字节对齐 */ map_arphrd_to_dlt(handle, sock_fd, arptype, device, 1); // 符合以下情况的都需要回退到cooked模式 if (handle->linktype == -1 || handle->linktype == DLT_LINUX_SLL || handle->linktype == DLT_LINUX_IRDA || handle->linktype == DLT_LINUX_LAPD || handle->linktype == DLT_NETLINK || (handle->linktype == DLT_EN10MB && (strncmp("isdn", device, 4) == 0 || strncmp("isdY", device, 4) == 0))) { close(sock_fd); sock_fd = socket(PF_PACKET, SOCK_DGRAM,htons(ETH_P_ALL)); handlep->cooked = 1; } // 获取该接口的序号 handlep->ifindex = iface_get_id(sock_fd, device,handle->errbuf); // 将创建的套接字绑定到该设备接口上 iface_bind(sock_fd, handlep->ifindex,handle->errbuf); } else { // 对于接口名为"any"的接口,直接将其设置为cooked模式 handlep->cooked = 1; handle->linktype = DLT_LINUX_SLL; // 接口名为"any"的接口只是一个泛指,实际不存在这个接口,所以也不进行绑定 handlep->ifindex = -1; } // 在非"any"设备接口上开启混杂模式 if (!is_any_device && handle->opt.promisc) { memset(&mr, 0, sizeof(mr)); mr.mr_ifindex = handlep->ifindex; mr.mr_type = PACKET_MR_PROMISC; setsockopt(sock_fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP,&mr, sizeof(mr); } /* 使能对辅助数据的支持,辅助数据主要就是报文的vlan头信息,同时将offset增加vlan标签字段长 * 备注:后续如果启用了PACKET_MMAP V3机制,就不需要在这里启用该功能了 */ int val = 1; setsockopt(sock_fd, SOL_PACKET, PACKET_AUXDATA, &val,sizeof(val)); handle->offset += VLAN_TAG_LEN; // 加工模式下必须确保最大包的长度不小于 SLL_HDR_LEN + 1 if (handlep->cooked) if (handle->snapshot < SLL_HDR_LEN + 1) handle->snapshot = SLL_HDR_LEN + 1; handle->bufsize = handle->snapshot; // 设置vlan标签的偏移量 switch (handle->linktype) { case DLT_EN10MB: // 普通以太网设备VLAN标签位于目的mac和源mac之后位置 handlep->vlan_offset = 2 * ETH_ALEN; break; case DLT_LINUX_SLL: // cooked模式下的设备VLAN标签记录在sll_header->sll_protocol字段 handlep->vlan_offset = SLL_HDR_LEN - 2; break; } // 配置该pcap句柄的时间戳精度 if (handle->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO) { int nsec_tstamps = 1; setsockopt(sock_fd, SOL_SOCKET, SO_TIMESTAMPNS, &nsec_tstamps, sizeof(nsec_tstamps)); } handle->fd = sock_fd; return 1; }相关数据结构:
// 对一个接口执行捕获操作的句柄结构 struct pcap { read_op_t read_op; // 在该接口上进行读操作的回调函数(linux上就是 pcap_read_linux / pcap_read_linux_mmap_v3) int fd; // 该接口关联的套接字 int selectable_fd; // 通常就是fd u_int bufsize; // 接收缓冲区的有效大小,该值初始时来自用户配置的snapshot,当开启PACKET_MMAP时,跟配置的接收环形缓冲区tp_frame_size值同步 void *buffer; /* 当开启PACKET_MMAP时,指向一个成员为union thdr结构的数组,记录了接收环形缓冲区中每个帧的帧头; * 当不支持PACKET_MMAP时,指向用户空间的接收缓冲区,其大小为 bufsize + offset */ int cc; // 跟配置的接收环形缓冲区tp_frame_nr值同步(由于pcap中内存块数量和帧数量相等,所以本字段也就是内存块数量) int break_loop; // 标识是否强制退出循环捕获 void *priv; // 指向该pcap句柄的私有空间(紧跟在本pcap结构后),linux下就是struct pcap_linux struct pcap *next; // 这张链表记录了所有已经打开的pcap句柄,目的是可以被用于关闭操作 int snapshot; // 该pcap句柄支持的最大捕获包的长度,对于普通的以太网接口可以设置为1518,对于环回口可以设置为65549,其他情况下可以设置为MAXIMUM_SNAPLEN int linktype; // 接口的链路类型,对于以太网设备/环回设备,通常就是DLT_EN10MB int offset; // 该值跟接口链路类型相关,目的是确保 offset + L2层头长度 实现4字节对齐 int activated; // 标识该pcap句柄是否处于运作状态,处于运作状态的pcap句柄将不允许进行修改 struct pcap_opt opt; // 该句柄包含的一个子结构 pcap_direction_t direction; // 捕包方向 struct bpf_program fcode; // BPF过滤模块 int dlt_count; // 该设备对应的dlt_list中元素数量,通常为2 u_int *dlt_list; // 指向该设备对应的DLT_*列表 activate_op_t activate_op; // 对应回调函数:pcap_activate_linux can_set_rfmon_op_t can_set_rfmon_op; // 对应回调函数:pcap_can_set_rfmon_linux inject_op_t inject_op; // 对应回调函数:pcap_inject_linux setfilter_op_t setfilter_op; // 对应回调函数:pcap_setfilter_linux / pcap_setfilter_linux_mmap setdirection_op_t setdirection_op; // 对应回调函数:pcap_setdirection_linux set_datalink_op_t set_datalink_op; // 对应回调函数:pcap_set_datalink_linux getnonblock_op_t getnonblock_op; // 对应回调函数:pcap_getnonblock_fd / pcap_getnonblock_mmap setnonblock_op_t setnonblock_op; // 对应回调函数:pcap_setnonblock_fd / pcap_setnonblock_mmap stats_op_t stats_op; // 对应回调函数:pcap_stats_linux pcap_handler oneshot_callback; // 对应回调函数:pcap_oneshot_mmap cleanup_op_t cleanup_op; // 对应回调函数:pcap_cleanup_linux_mmap } // pcap句柄包含的一个子结构 struct pcap_opt { char *device; // 接口名,比如"eth0" int timeout; // 该pcap句柄进行捕获操作的持续时间(ms),0意味着不超时 u_int buffer_size; // 接收缓冲区长度,缺省就是2M. 当PACKET_MMAP开启时,该值用来配置接收环形缓冲区;当不支持PACKET_MMAP时,该值用来配置套接字的接收缓冲区 int promisc; // 标识该pcap句柄是否开启混杂模式,需要注意的是,"any"设备不允许开启混杂模式 int rfmon; // 表示该pcap句柄是否开启监听模式,该模式只用于无线网卡 int immediate; // 标识收到报文时是否立即传递给用户 int tstamp_type; // 该pcap句柄使用的时间戳类型 int tstamp_precision; // 该pcap句柄使用的时间戳精度 } // 跟pcap句柄关联的linux平台私有空间 struct pcap_linux { u_int packets_read; // 统计捕获到的包数量 long proc_dropped; // 统计丢弃的包数量 char *device; // 接口名,同步自pcap->opt.device int filter_in_userland; // 标识用户空间是否需要过滤包 int timeout; // 进行捕获操作的持续时间,同步自pcap->opt.timeout int sock_packet; // 0意味着使用了PF_PACKET方式创建的套接字 int cooked; // 1意味着使用了SOCK_DGRAM类型套接字,0意味着使用了SOCK_RAW类型套接字 int ifindex; // 对于普通的以太网接口,这里记录了其接口序号 int lo_ifindex; // 记录了环回接口序号 u_char *mmapbuf; // 接收环形缓冲区在用户进程中的映射地址 size_t mmapbuflen; // mmap实际映射的接收环形缓冲区长度 int vlan_offset; // VLAN标签距离报文头部的偏移量,普通以太网链路上该值为12;cooked模式下为sll_header->sll_protocol字段 u_int tp_version; // 环形缓冲区的版本号 u_int tp_hdrlen; // 环形缓冲区的帧头长(跟环形缓冲区版本有关) int poll_timeout; // poll系统调用传入的超时参数,默认来自上面的timeout,但TPACKET_V3在3.19版本之前不允许不超时 unsigned char *current_packet; // (仅用于TPACKET_V3)指向当前待处理的帧 int packets_left; // (仅用于TPACKET_V3)待处理的帧数量 }
-
libpcap-1.7.4 安装包源码
2015-10-20 15:59:11libpcap是unix/linux平台下的网络数据包捕获函数包, 大多数网络监控软件都以它为基础。 本资源是libpcap1.7.4的源码 -
Linux下Libpcap源码分析和包过滤机制
2011-10-03 16:20:59Linux下Libpcap源码分析和包过滤机制。分析的很好,胜似看源代码。 -
linux 下 tcpdump 详解 前篇(libpcap库源码分析)
2019-08-23 15:29:11三 libpcap 源码理解 这里主要分析 pcap_open_live() , pcap_compile(),pcap_setfilter() ,pcap_loop四个接口函数 看函数前先介绍个重要的结构体 pcap_t typedef struct pcap pcap_t; struct pcap { read_op_t ...展开全文一 概述
用简单的话来定义tcpdump,就是:dump the traffic on a network,根据使用者的定义对网络上的数据包进行截获的包分析工具。 至于tcpdump参数如何使用,这不是本章讨论的重点。
liunx系统抓包工具,毫无疑问就是tcpdump。而windows的抓包工具,wireshark也是一款主流的抓包工具。wireshark 使用了winpcap库。tcpdump 基于 libpcap库。而winpcap库是类似于linux下的libpcap。 因此本文着重探讨libpcap库的原理。二 libpcap库使用
在了解libpcap库原理前,先说下libpcap 库的几个接口。一般情况下我们要使用libpcap库抓包,会用到下面几个接口函数
1.打开一个用于捕获数据的网络接口pcap_t *pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) / * ------------------------------------- device:网络接口的名字,为第一步获取的网络接口字符串(pcap_lookupdev() 的返回值 ),也可人为指定,如“eth0”。 snaplen:捕获数据包的长度,长度不能大于 65535 个字节。 promise:“1” 代表混杂模式,其它非混杂模式。 to_ms:指定需要等待的毫秒数,超过这个数值后,获取数据包的函数就会立即返回(这个函数不会阻塞,后面的抓包函数才会阻塞)。0 表示一直等待直到有数据包到来。 ebuf:存储错误信息。 -------------------------------------------------------*/2 获取指定网卡的 ip 地址,子网掩码
int pcap_lookupnet(const char *, bpf_u_int32 *, bpf_u_int32 *, char *); / *------------------------------------- device:网络设备名,为第一步获取的网络接口字符串(pcap_lookupdev() 的返回值 ),也可人为指定,如“eth0”。 netp:存放 ip 地址的指针,bpf_u_int32 为 32 位无符号整型 maskp:存放子网掩码的指针,bpf_u_int32 为 32 位无符号整型 errbuf:存放出错信息 -------------------------------------------------------*/3 编译 BPF 过滤规则
int pcap_compile(pcap_t *, struct bpf_program *, const char *, int, bpf_u_int32); / * ------------------------------------- p:pcap_open_live() 返回的 pcap_t 类型的指针 fp:存放编译后的 bpf,应用过滤规则时需要用到这个指针 buf:过滤条件 optimize:是否需要优化过滤表达式 mask:指定本地网络的网络掩码,不需要时可写 0 -------------------------------------------------------*/4 应用 BPF 过滤规则,让bpf规则生效
int pcap_setfilter( pcap_t * p, struct bpf_program * fp ); / * ------------------------------------- p:pcap_open_live() 返回的 pcap_t 类型的指针 fp:pcap_compile() 的第二个参数 -------------------------------------------------------*/5 循环捕获网络数据包
int pcap_loop(pcap_t *, int, pcap_handler, u_char *); / * ------------------------------------- p:pcap_open_live()返回的 pcap_t 类型的指针。 cnt:指定捕获数据包的个数,一旦抓到了 cnt 个数据包,pcap_loop 立即返回。如果是 -1,就会永无休止的捕获,直到出现错误。 callback:回调函数,名字任意,根据需要自行起名。 user:向回调函数中传递的参数。 callback 回调函数的定义:void callback(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) userarg:pcap_loop() 的最后一个参数,当收到足够数量的包后 pcap_loop 会调用callback 回调函数,同时将pcap_loop()的user参数传递给它 pkthdr:是收到数据包的 pcap_pkthdr 类型的指针,和 pcap_next() 第二个参数是一样的。 packet :收到的数据包数据 -------------------------------------------------------*/6 释放网络接口
void pcap_close(pcap_t *p);libpcap 用到最多的6个接口,还有一个查找网络接口设备名
char *pcap_lookupdev(char *errbuf); 你要是自己知道要抓的那个网口,就可以直接指定即可。
libpcap主要有两个重要的功能 (抓包 ,过滤)- 首先网络设备驱动程序会收集数据,会复制一份给内核BPF过滤器
- 但是应用层大多数只关心自己想要的数据。因此应用层每个抓包模块,都会有自己想过滤的数据包,最终符合过滤规则的就把数据传给应用层。
看图可以简单理解下,这里不深入内核底层的交互,中篇会再细说。回归正题,接下来看代码集成libpcap抓包使用。static void ethernet_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { // 程序对抓到包的处理 return; } static void * sniffer_thread_callback(void *param) { pthread_detach(pthread_self()); printf("sniffer_thread_callback enter\n"); int nDev =-(TYPE32)param; char errbuf[PCAP_ERRBUF_SIZE]; pcap_t *handle; //bug modify flag jl char *filter_exp = "not broadcast and not arp"; struct bpf_program fp; bpf_u_int32 mask = 0; bpf_u_int32 net = 0; handle = pcap_open_live(option_struct.dev_interface[nDev], 65535, 1, 0, errbuf); if (handle == NULL) { fprintf(stderr, "couldn't open device %s: %s\n", option_struct.dev_interface[nDev], errbuf); pthread_exit(NULL); return NULL; } pcap_lookupnet(option_struct.dev_interface[nDev], &net, &mask, errbuf); if (pcap_datalink(handle) != DLT_EN10MB) { fprintf(stderr, "couldn't pcap_datalink %s\n", pcap_geterr(handle)); pcap_close(handle); pthread_exit(NULL); return NULL; } if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) { fprintf(stderr, "couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle)); pcap_freecode(&fp); pcap_close(handle); pthread_exit(NULL); return NULL; } if (pcap_setfilter(handle, &fp) == -1) { fprintf(stderr, "couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle)); pcap_freecode(&fp); pcap_close(handle); pthread_exit(NULL); return NULL; } if (pcap_loop(handle, -1, ethernet_packet, (u_char *)&nDev) == -1) { fprintf(stderr, "couldn't pacp loop %s: %s\n", filter_exp, pcap_geterr(handle)); } pcap_freecode(&fp); pcap_close(handle); pthread_exit(NULL); return NULL; }这些接口上面基本都介绍过,大概就是打开捕获网络数据的接口,先获取网卡对应ip 子网掩码,用于创建规则bpf ,然后生效bpf规则,最后开始循环抓包数据。而怎么处理包的流程由ethernet_packet 回调函数内实现。
三 libpcap 源码理解
这里主要分析 pcap_open_live() , pcap_compile(),pcap_setfilter() ,pcap_loop四个接口函数
看函数前先介绍个重要的结构体 pcap_ttypedef struct pcap pcap_t; struct pcap { read_op_t read_op; //回调函数,用户获取数据包 Method to call to read packets on a live capture. next_packet_op_t next_packet_op; /* * Method to call to read the next packet from a savefile. 从文件里读取报文的函数指针*/ int fd; u_int bufsize; // Read buffer. 获取数据包大小 void *buffer; // Read buffer. 获取数据包缓存 u_char *bp; int cc; sig_atomic_t break_loop; /* flag set to force break from packet-reading loop */ void *priv; /* private data for methods 指针指向私有的方法结构体 */ int swapped; FILE *rfile; /* null if live capture, non-null if savefile 当是是解析pcap文件的数据时,不为空*/ u_int fddipad; struct pcap *next; /* list of open pcaps that need stuff cleared on close */ int snapshot; /* 抓取一个数据报的最大长度 */ int linktype; /* Network linktype */ int linktype_ext; /* Extended information stored in the linktype field of a file */ int offset; /* offset for proper alignment */ int activated; /* true if the capture is really started 表示抓包功能已经激活*/ int oldstyle; /* if we're opening with pcap_open_live() */ struct pcap_opt opt; pcap_direction_t direction; /* We're accepting only packets in this direction/these directions. */ int bpf_codegen_flags; /* Flags to affect BPF code generation. */ struct bpf_program fcode; struct pcap_pkthdr pcap_header; /* This is needed for the pcap_next_ex() to work */ /* * More methods. */ activate_op_t activate_op; //激活函数,激活函数在得到调用后,会建立起与底层IPC的socket . . . }1. pcap_open_live 接口函数源码
pcap_t * pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf) { pcap_t *p; int status; p = pcap_create(device, errbuf); if (p == NULL) return (NULL); status = pcap_set_snaplen(p, snaplen); // 设置包的最大长度 if (status < 0) goto fail; status = pcap_set_promisc(p, promisc); //设置混杂模式 if (status < 0) goto fail; status = pcap_set_timeout(p, to_ms); // 设置超时时间 p->oldstyle = 1; status = pcap_activate(p); if (status < 0) goto fail; return (p); }pcap_create 里会调用 pcap_create_interface() 函数 ,而不同的操作系统环境会调用不同的pcap_create_interface函数。(可由编译宏来指定特定的pcap_create_interface来初始化read_op等函数指针。linux环境里默认是libpcap/pcap-linux.c中的 pcap_create_interface())
pcap_t * pcap_create_interface(const char *device, char *ebuf) { pcap_t *handle; handle = pcap_create_common(ebuf, sizeof (struct pcap_linux)); // 初始化一个pcap_t 结构体 if (handle == NULL) return NULL; //为pcap_t 的激活函数指针填充具体实现函数 handle->activate_op = pcap_activate_linux; handle->can_set_rfmon_op = pcap_can_set_rfmon_linux; return handle; }调用status = pcap_activate( p ),该函数执行status = p->activate_op( p ) ,
进而调用 pcap_activate_linux(), 完成read_op等重要函数指针的具体赋值。static int pcap_activate_linux(pcap_t *handle) { struct pcap_linux *handlep = handle->priv; const char *device; int is_any_device; struct ifreq ifr; int status = 0; int ret; device = handle->opt.device; handle->inject_op = pcap_inject_linux; handle->setfilter_op = pcap_setfilter_linux; // 设置过滤规则 handle->setdirection_op = pcap_setdirection_linux; handle->set_datalink_op = pcap_set_datalink_linux; handle->getnonblock_op = pcap_getnonblock_fd; handle->setnonblock_op = pcap_setnonblock_fd; handle->cleanup_op = pcap_cleanup_linux; handle->read_op = pcap_read_linux; // 捕获包会调用这个接口 handle->stats_op = pcap_stats_linux; ... ret = activate_new(handle, is_any_device); if (ret < 0) { if (ret != PCAP_ERROR_NO_PF_PACKET_SOCKETS) { return ret; } ret = activate_old(handle, is_any_device); if (ret != 0) { status = ret; goto fail; } } ... handle->selectable_fd = handle->fd; return status; }目前的liunx 系统用的协议簇 PF_PACKET 来获取所有到网口的包 ,而liunx 老的版本有一个特殊的套接字类型SOCK_PACKET 来实现这一特性的。所以为了兼容老版本,会看到activate_new 失败后 会调用一下activate_old 。正常情况下,我们分析activate_new的即可。
static int activate_new(pcap_t *handle, int is_any_device) { struct pcap_linux *handlep = handle->priv; const char *device = handle->opt.device; int status = 0; int sock_fd, arptype; sock_fd = open_pf_packet_socket(handle, is_any_device); if (sock_fd < 0) { return sock_fd; } handlep->sock_packet = 0; . . . if (handlep->cooked) { if (handle->snapshot < SLL_HDR_LEN + 1) handle->snapshot = SLL_HDR_LEN + 1; } handle->bufsize = handle->snapshot; //根据以太网链路层类型决定VLAN Tag在报文中的偏移值 switch (handle->linktype) { case DLT_EN10MB: handlep->vlan_offset = 2 * ETH_ALEN; break; case DLT_LINUX_SLL: handlep->vlan_offset = 14; break; default: handlep->vlan_offset = -1; /* unknown */ break; } ...其中 open_pf_packet_socket 函数是关键,里面创建了socket 和底层通讯,也是通过创建的socket来实现抓包。
static int open_pf_packet_socket(pcap_t *handle, int cooked) { int protocol = pcap_protocol(handle); int sock_fd, ret; /* * Open a socket with protocol family packet. If cooked is true, * we open a SOCK_DGRAM socket for the cooked interface, otherwise * we open a SOCK_RAW socket for the raw interface. */ sock_fd = cooked ? socket(PF_PACKET, SOCK_DGRAM, protocol) : socket(PF_PACKET, SOCK_RAW, protocol); return sock_fd; }该函数根据cooked 的值,调用socket(PF_PACKET, SOCK_DGRAM, protocol) :还是
socket(PF_PACKET, SOCK_RAW, protocol);
这两个创建的socket 函数有啥区别呢?- socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL))
当指定SOCK_DGRAM时,获取的数据包是去掉了数据链路层的头(link-layer header) - socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))
当指定SOCK_RAW时,获取的数据包是一个完整的数据链路层数据包
发现libpcap 库是在抓any 网口的包时,cooked 值为true.
至此pcap_open_live 函数 完成了捕获数据的网络接口的准备 ,把pcap_t 结构体返回了出去。
2 pcap_compile 函数分析
若是想分析pcap_compile 你必须对bpf规则有一定的了解,该函数的主要工作就是创建一个bpf的结构体。后面pcap_setfilter 会把生产的规则设置到内核,让规则生效。该函数不打算深入分析。这里稍微提下bpf规则。你理解了这部分,你再去看代码应该会事半功倍。
tcpdump -d 会把匹配信息包(也就是规则)以人们能够理解的汇编格式给出
[root@wus ~]# tcpdump host 10.68.22.189 -d (000) ldh [12] (001) jeq #0x800 jt 2 jf 6 (002) ld [26] (003) jeq #0xa4416bd jt 12 jf 4 (004) ld [30] (005) jeq #0xa4416bd jt 12 jf 13 (006) jeq #0x806 jt 8 jf 7 (007) jeq #0x8035 jt 8 jf 13 (008) ld [28] (009) jeq #0xa4416bd jt 12 jf 10 (010) ld [38] (011) jeq #0xa4416bd jt 12 jf 13 (012) ret #65535 (013) ret #0分析 上面汇编指令含义
- 第一行 (000) 表示你收到一个数据包,从第12个字节开始分析,而数据包要是从链路层开始,前12个字节表示mac,从12个字节后,刚好对应2字节的链路层协议类型
- 第二行(001) 表示链路层类型为 0x800 的 就执行jt 2 (跳到002指令执行)否则要是不等于0x800 就执行 jf 6(跳到006指令执行 ) (备注一般链路层协议都是0x800 Internet Protocol packet)
- 第三行(002) 表示从包的第26个字节开始
- 第四行(003) #0xa4416bd 其实就是 10.68.22.189 这个ip地址 表示源地址。而你对ip/tcp 协议比较清楚的话,链路层14个字节,ip层要是没有扩展字节的情况下20个字节,源地址ip就是在26个字节后四个字节。
。。。后面就按照上面的分析即可。
上面的规则对应代码结构体其实就是
struct sock_filter { /* Filter block */ __u16 code; /* Actual filter code */ __u8 jt; /* Jump true */ __u8 jf; /* Jump false */ __u32 k; /* Generic multiuse field */ };其中code元素是一个16位宽的操作码,具有特定的指令编码。jt和jf是两个8位宽的跳转目标,一个用于条件“跳转如果真”,另一个“跳转如果假”。最后k元素包含一个可以用不同方式解析的杂项参数,依赖于code给定的指令。
3 pcap_setfilter 函数分析
pcap_setfilter 函数其实就是调用的 pcap_open_live 函数里激活函数设置的 pcap_setfilter_linux ,而pcap_setfilter_linux 函数 里面调用了pcap_setfilter_linux_common 函数
static int pcap_setfilter_linux_common(pcap_t *handle, struct bpf_program *filter, int is_mmapped) { struct pcap_linux *handlep; #ifdef SO_ATTACH_FILTER struct sock_fprog fcode; int can_filter_in_kernel; int err = 0; #endif if (!handle) return -1; if (!filter) { pcap_strlcpy(handle->errbuf, "setfilter: No filter specified", PCAP_ERRBUF_SIZE); return -1; } handlep = handle->priv; if (install_bpf_program(handle, filter) < 0) // 该函数主要将libpcap bpf规则结构体,转换成符合liunx内核的 bpf规则,同时校验规则是否符合要求格式。 /* install_bpf_program() filled in errbuf */ return -1; ... if (can_filter_in_kernel) { if ((err = set_kernel_filter(handle, &fcode)) == 0) // 关键函数 { handlep->filter_in_userland = 0; } } ... return 0;主要看set_kernel_filter 关键函数
static int set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode) { int total_filter_on = 0; int save_mode; int ret; int save_errno; ... ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, fcode, sizeof(*fcode)); if (ret == -1 && total_filter_on) { save_errno = errno; if (reset_kernel_filter(handle) == -1) { pcap_fmt_errmsg_for_errno(handle->errbuf, PCAP_ERRBUF_SIZE, errno, "can't remove kernel total filter"); return -2; /* fatal error */ } errno = save_errno; } return ret; }最终其实是调用了 setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,fcode, sizeof(*fcode));函数将规则 通过SO_ATTACH_FILTER 下发给内核底层,从而让规则生效。
4 pcap_loop 函数分析
规则设置好了,socket 其实也已经创建了,最后一部其实就是抓包了。而怎么抓包了,其实就是recvfrom 设置好的socket
int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { register int n; for (;;) { if (p->rfile != NULL) { n = pcap_offline_read(p, cnt, callback, user); } else { do { n = p->read_op(p, cnt, callback, user); } while (n == 0); } if (n <= 0) return (n); if (!PACKET_COUNT_IS_UNLIMITED(cnt)) { cnt -= n; if (cnt <= 0) return (0); } } }可以看到调用了回调函数 p->read_op(p, cnt, callback, user); 而回调函数就是在pcap_open_live 设置的 pcap_read_linux 函数,该函数里面调用了pcap_read_packet 函数。
static int pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata) { struct pcap_linux *handlep = handle->priv; u_char *bp; int offset; #ifdef HAVE_PF_PACKET_SOCKETS struct sockaddr_ll from; #else struct sockaddr from; #endif ssize_t packet_len; int caplen; struct pcap_pkthdr pcap_header; if (handlep->cooked) { if (handle->linktype == DLT_LINUX_SLL2) offset = SLL2_HDR_LEN; else offset = SLL_HDR_LEN; } else offset = 0; bp = (u_char *)handle->buffer + handle->offset; do { if (handle->break_loop) { // 当 pcap_breakloop() 调用时会跳出循环 handle->break_loop = 0; return PCAP_ERROR_BREAK; } fromlen = sizeof(from); packet_len = recvfrom(handle->fd, bp + offset, handle->bufsize - offset, MSG_TRUNC, (struct sockaddr *) &from, &fromlen); // 就是通过该抓包 } while (packet_len == -1 && errno == EINTR); ... if (!handlep->sock_packet) { if (handlep->ifindex != -1 && from.sll_ifindex != handlep->ifindex) return 0; if (!linux_check_direction(handle, &from)) // 根据方向会过滤数据 return 0; } pcap_header.caplen = caplen; pcap_header.len = (bpf_u_int32)packet_len; handlep->packets_read++; /* Call the user supplied callback function */ callback(userdata, &pcap_header, bp); // 调用回到函数 return 1;每次抓到一个完整包都会调用一次回调函数,同时linux_check_direction 函数 会根据方向丢弃不需要的包,而这里面还有个重要的性质,就是抓的lo口,你要是抓包能抓到两条相同的数据包,因此linux_check_direction 对于lo口的包还做了相关处理。
static inline int linux_check_direction(const pcap_t *handle, const struct sockaddr_ll *sll) { struct pcap_linux *handlep = handle->priv; /*Outgoing packet. If this is from the loopback device, reject it;we'll see the packet as an incoming packet as well,*/ if (sll->sll_pkttype == PACKET_OUTGOING) { if (sll->sll_ifindex == handlep->lo_ifindex) return 0; if ((sll->sll_protocol == LINUX_SLL_P_CAN || sll->sll_protocol == LINUX_SLL_P_CANFD) &&handle->direction != PCAP_D_OUT) return 0; if (handle->direction == PCAP_D_IN) return 0; } else { if (handle->direction == PCAP_D_OUT) return 0; } return 1; }四 总结
对libpcap库关键函数分析下来,它是如何实现最终抓包的呢?其实是它函数内部调用几个真正跟内核交互的几个函数。
- pcap_open_live 函数调用了 sock_fd = cooked ?socket(PF_PACKET, SOCK_DGRAM, protocol) :socket(PF_PACKET, SOCK_RAW, protocol); 来创建一个socket套接字
- pcap_setfilter 函数调用了 setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, fcode, sizeof(*fcode)); 将规则设置到内核,从而内核可以根据该应用层设置的规则,过来数据
- pcap_loop 函数本质就是根据创建的socket循环接收数据包 packet_len = recvfrom(handle->fd, bp + offset,handle->bufsize - offset, MSG_TRUNC,(struct sockaddr *) &from, &fromlen);
注意点:
- 创建socket 是SOCK_DGRAM 还是SOCK_RAW,你会发现libpcap处理方式是不一样的,还会根据不同协议,偏移量来处理包。这个后续要是处理到对应协议,可以再参考libpcap 。
- lo口的包是能抓到两次的,libpcap库是做了处理的,当是PACKET_OUTGOING 的数据包直接就丢弃了。
最后本篇其实只分析了用户层做了哪些处理,通过哪些函数跟内核层交互的。其实真正的原理还是在内核,内核层收到用户层如何处理的才是关键,中篇会继续深入分析。。。。。。未完待续
-
libpcap源码分析_PACKET_MMAP机制
2018-09-11 16:30:34下面就从libpcap中的activate_mmap函数为线索,展开对PACKET_MMAP使用方法的分析。 /* 尝试对指定pcap句柄开启PACKET_MMAP功能 * @返回值 1表示成功开启;0表示系统不支持PACKET_MMAP功能;-1表示出错 */...展开全文使用PACKET_MMAP机制的原因:
不开启PACKET_MMAP时的捕获过程是非常低效的,它使用非常受限的缓冲区,并且每捕获一个报文就需要一次系统调用,
如果还想获取这个报文的时间戳,就需要再执行一次系统调用.
而启用PACKET_MMAP的捕获过程就是非常高效的,它提供了一个映射到用户空间的长度可配的环形缓冲区,这个缓冲区可以用于收发报文.
用这种方式接收报文时,只需要等待报文到来即可,大部分情况下都不需要发出一个系统调用;
用这种方式发送报文时,多个报文只需要一个系统调用就可以以最高带宽发送出去.
另外,用户空间和内核使用共享缓存的方式可以减少报文的拷贝。下面就从libpcap中的activate_mmap函数为线索,展开对PACKET_MMAP使用方法的分析。
/* 尝试对指定pcap句柄开启PACKET_MMAP功能 * @返回值 1表示成功开启;0表示系统不支持PACKET_MMAP功能;-1表示出错 */ int activate_mmap(pcap_t *handle, int *status) { // 获取该pcap句柄的私有空间 struct pcap_linux *handlep = handle->priv; // 分配一块缓存用于oneshot的情况,缓存大小为该pcap句柄支持捕获的最大包长 handlep->oneshot_buffer = malloc(handle->snapshot); // 设置普通缓冲区的默认长度为2M,这里将尝试作为PACKET_MMAP的环形缓冲区使用 if (handle->opt.buffer_size == 0) handle->opt.buffer_size = 2*1024*1024; // 为该捕获套接字设置合适的环形缓冲区版本,优先考虑设置TPACKET_V3 prepare_tpacket_socket(handle); // 创建环形缓冲区,并将其映射到用户空间 create_ring(handle, status); // 根据环形缓冲区版本注册linux上PACKET_MMAP读操作回调函数 switch (handlep->tp_version) { case TPACKET_V1: handle->read_op = pcap_read_linux_mmap_v1; break; case TPACKET_V1_64: handle->read_op = pcap_read_linux_mmap_v1_64; break; case TPACKET_V2: handle->read_op = pcap_read_linux_mmap_v2; break; case TPACKET_V3: handle->read_op = pcap_read_linux_mmap_v3; break; } // 最后注册一系列linux上PACKET_MMAP相关回调函数 handle->cleanup_op = pcap_cleanup_linux_mmap; handle->setfilter_op = pcap_setfilter_linux_mmap; handle->setnonblock_op = pcap_setnonblock_mmap; handle->getnonblock_op = pcap_getnonblock_mmap; handle->oneshot_callback = pcap_oneshot_mmap; handle->selectable_fd = handle->fd; return 1; } int prepare_tpacket_socket(pcap_t *handle) { // 获取该pcap句柄的私有空间 struct pcap_linux *handlep = handle->priv; int ret; /* 只有该pcap句柄没有使能immediate标识的前提下,才会首先尝试将环形缓冲区版本设置为TPACKET_V3 * 这是因为实现决定了TPACKET_V3模式下报文可能无法被实时传递给用户 */ if (!handle->opt.immediate) { ret = init_tpacket(handle, TPACKET_V3, "TPACKET_V3"); if (ret == 0) // 成功开启TPACKET_V3模式 return 1; else if (ret == -1) // 开启TPACKET_V3模式失败且并非是kernel不支持的原因 return -1; } // 在kernel不支持TPACKET_V3模式的情况下,则尝试开启TPACKET_V2模式 ret = init_tpacket(handle, TPACKET_V2, "TPACKET_V2"); if (ret == 0) // 成功开启TPACKET_V2模式 return 1; else if (ret == -1) // 开启TPACKET_V2模式失败且并非是kernel不支持的原因 return -1; /* 在kernel不支持TPACKET_V3、TPACKET_V2模式的情况下,则最后临时假设为TPACKET_V1模式 * 因为只要内核支持PACKET_MMAP机制,就必然支持TPACKET_V1模式 */ handlep->tp_version = TPACKET_V1; handlep->tp_hdrlen = sizeof(struct tpacket_hdr); return 1; } int init_tpacket(pcap_t *handle, int version, const char *version_str) { // 获取该pcap句柄的私有空间 struct pcap_linux *handlep = handle->priv; int val = version; socklen_t len = sizeof(val); // 首先尝试获取该版本环形缓冲区中帧头长,这也是一种探测内核是否支持该版本的环形缓冲区的方式 if (getsockopt(handle->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) { // 返回这两种错误号都表示kernel不支持 if (errno == ENOPROTOOPT || errno == EINVAL) return 1; return -1; } handlep->tp_hdrlen = val; // 如果内核支持,则将该pcap句柄关联的接字设置一个该版本的环形缓冲区 val = version; setsockopt(handle->fd, SOL_PACKET, PACKET_VERSION, &val,sizeof(val)); handlep->tp_version = version; // 设置环形缓冲区中每个帧VLAN_TAG_LEN长度的保留空间,用于VLAN tag重组 val = VLAN_TAG_LEN; setsockopt(handle->fd, SOL_PACKET, PACKET_RESERVE, &val,sizeof(val)); return 0; } int create_ring(pcap_t *handle, int *status) { // 获取该pcap句柄的私有空间 struct pcap_linux *handlep = handle->priv; struct tpacket_req3 req; socklen_t len; unsigned int sk_type,tp_reserve, maclen, tp_hdrlen, netoff, macoff; unsigned int frame_size; // 根据配置的版本创建对应的接收环形缓冲区 switch (handlep->tp_version) { case TPACKET_V1: case TPACKET_V2: /* V1、V2版本需要设置一个合适的环形缓冲区帧长,缺省同步自snapshot, * 但是因为snapshot可能设置了一个极大的值,这会导致一个环形缓冲区放不下几个帧,并且存在大量空间的浪费, * 所以接下来会尝试进一步调整为一个合理的帧长值 */ frame_size = handle->snapshot; // 针对以太网接口调整环形缓冲区帧长 if (handle->linktype == DLT_EN10MB) { int mtu; int offload; // 检查该接口是否支持offload机制 offload = iface_get_offload(handle); // 对于不支持offload机制的接口,可以使用该接口的MTU值来进一步调整环形缓冲区的帧长 if (!offload) { mtu = iface_get_mtu(handle->fd, handle->opt.device,handle->errbuf); if (frame_size > (unsigned int)mtu + 18) frame_size = (unsigned int)mtu + 18; } } // 获取套接字类型 len = sizeof(sk_type); getsockopt(handle->fd, SOL_SOCKET, SO_TYPE, &sk_type,&len); /* 获取环形缓冲区中每个帧的保留空间长度 * 备注:对于V3/V2模式的环形缓冲区,之前是有设置过VLAN_TAG_LEN字节的保留空间,而V1模式则没有设置过 */ len = sizeof(tp_reserve); if (getsockopt(handle->fd, SOL_PACKET, PACKET_RESERVE,&tp_reserve, &len) < 0) { if (errno != ENOPROTOOPT) return -1; tp_reserve = 0; } // 以下一系列计算的最终目的是得到一个合适帧长值 maclen = (sk_type == SOCK_DGRAM) ? 0 : MAX_LINKHEADER_SIZE; tp_hdrlen = TPACKET_ALIGN(handlep->tp_hdrlen) + sizeof(struct sockaddr_ll) ; netoff = TPACKET_ALIGN(tp_hdrlen + (maclen < 16 ? 16 : maclen)) + tp_reserve; macoff = netoff - maclen; req.tp_frame_size = TPACKET_ALIGN(macoff + frame_size); // 最终通过一系列计算才得到合适的帧长值 req.tp_frame_nr = handle->opt.buffer_size/req.tp_frame_size;// 得到帧长值之后,就可以进一步计算得到环形接收缓冲区可以存放的帧总数 break; case TPACKET_V3: // 区别于V1/V2,V3的帧长可变,只需要设置一个帧长上限值即可 req.tp_frame_size = MAXIMUM_SNAPLEN; req.tp_frame_nr = handle->opt.buffer_size/req.tp_frame_size; break; } /* 计算V1/V2/V3的内存块长度,内存块长度只能取PAGE_SIZE * 2^n,并且要确保至少放下1个帧 * 备注:由于V3模式设置帧长上限MAXIMUM_SNAPLEN必然大于PAGE_SIZE,所以可知V3模式下1个内存块中只会有1个帧 */ req.tp_block_size = getpagesize(); while (req.tp_block_size < req.tp_frame_size) req.tp_block_size <<= 1; frames_per_block = req.tp_block_size/req.tp_frame_size; retry: // 计算内存块数量和帧总数,这里显然再次对帧总数进行调整,最终确保帧总数是内存块总数的整数倍 req.tp_block_nr = req.tp_frame_nr / frames_per_block; req.tp_frame_nr = req.tp_block_nr * frames_per_block; // 设置每个内存块的寿命 req.tp_retire_blk_tov = (handlep->timeout>=0)?handlep->timeout:0; // 每个内存块不设私有空间 req.tp_sizeof_priv = 0; // 清空环形缓冲区的标志集合 req.tp_feature_req_word = 0; // 创建接收环形缓冲区 if (setsockopt(handle->fd, SOL_PACKET, PACKET_RX_RING,(void *) &req, sizeof(req))) { // 如果失败原因是内存不足,则减少帧总数然后再次进行创建 if ((errno == ENOMEM) && (req.tp_block_nr > 1)) { if (req.tp_frame_nr < 20) req.tp_frame_nr -= 1; else req.tp_frame_nr -= req.tp_frame_nr/20; goto retry; } // 如果kernel不支持PACKET_MMAP则直接返回 if (errno == ENOPROTOOPT) return 0; } // 程序运行到这里意味着接收环形缓冲区创建成功 // 接着就是将新创建的接收环形缓冲区映射到用户空间 handlep->mmapbuflen = req.tp_block_nr * req.tp_block_size; handlep->mmapbuf = mmap(0, handlep->mmapbuflen,PROT_READ|PROT_WRITE, MAP_SHARED, handle->fd, 0); // 最后还需要创建一个pcap内部用于管理接收环形缓冲区每个帧头/块头的数组 handle->cc = req.tp_frame_nr; handle->buffer = malloc(handle->cc * sizeof(union thdr *)); // 将接收环形缓冲区中每个帧头地址记录到管理数组buffer中 handle->offset = 0; for (i=0; i<req.tp_block_nr; ++i) { void *base = &handlep->mmapbuf[i*req.tp_block_size]; for (j=0; j<frames_per_block; ++j, ++handle->offset) { RING_GET_CURRENT_FRAME(handle) = base; base += req.tp_frame_size; } } handle->bufsize = req.tp_frame_size; // 开启PACKET_MMAP情况下,offset字段其实只在每次执行捕获期间有意义 handle->offset = 0; return 1; }小结: 至此已经成功开启PACKET_MMAP功能,显然其中的核心部分在于环形缓冲区的配置,
接下来将以pcap_read_linux_mmap_v3为线索分析如何在开启PACKET_MMAP的情况下进行捕获int pcap_read_linux_mmap_v3(pcap_t *handle, int max_packets, pcap_handler callback,u_char *user) { // 获取该pcap句柄的私有空间 struct pcap_linux *handlep = handle->priv; int pkts = 0; // 记录了成功捕获的报文数量 union thdr h; again: // 等待接收环形缓冲区中有内存块提交给用户空间 if (handlep->current_packet == NULL) { h.raw = RING_GET_CURRENT_FRAME(handle); // 如果当前等待读取的内存块中没有报文,则在这里进行等待 if (h.h3->hdr.bh1.block_status == TP_STATUS_KERNEL) { pcap_wait_for_frames_mmap(handle); } } /* 再次检查接收环形缓冲区中是否有内存块提交给用户空间,如果没有,通常就会结束捕获操作; * 除非该pcap句柄设置的是收到至少1个报文捕获操作才会结束 */ h.raw = RING_GET_CURRENT_FRAME(handle); if (h.h3->hdr.bh1.block_status == TP_STATUS_KERNEL) { if (pkts == 0 && handlep->timeout == 0) goto again; return pkts; } // 程序运行到这里意味着当前等待读取的内存块中有报文可读 /* 循环捕获并处理数据包,具体的流程就是依次遍历每个内存块以及其中的每个帧,进行读取, * 直到达到设置的捕获数量或者接收环形缓存区没有报文可读 */ while ((pkts < max_packets) || PACKET_COUNT_IS_UNLIMITED(max_packets)) { int packets_to_read; // 每次读取一个新的内存块前都需要刷新current_packet和packets_left if (handlep->current_packet == NULL) { // 如果当前等待读取的内存块中没有报文,则退出捕获 h.raw = RING_GET_CURRENT_FRAME(handle); if (h.h3->hdr.bh1.block_status == TP_STATUS_KERNEL) break; handlep->current_packet = h.raw + h.h3->hdr.bh1.offset_to_first_pkt; handlep->packets_left = h.h3->hdr.bh1.num_pkts; } /* 在一个内存块中要读取的报文数量不仅受到该内存块中能被读取的报文数量的限制, * 还收到本次捕获操作设置的捕获数量的限制 */ packets_to_read = handlep->packets_left; if (!PACKET_COUNT_IS_UNLIMITED(max_packets) && packets_to_read > (max_packets - pkts)) packets_to_read = max_packets - pkts; /* 从一个内存块中循环捕获packets_to_read数量的帧,直到满足以下任一条件才退出: * 超过了要读取的包数量; * 强制退出 */ while (packets_to_read-- && !handle->break_loop) { // 获取接收环形缓冲区中每个帧的头部结构 struct tpacket3_hdr* tp3_hdr = (struct tpacket3_hdr*) handlep->current_packet; // 尝试捕获环形缓冲区中每个帧 ret = pcap_handle_packet_mmap( handle, callback, user, handldp->current_packet, tp3_hdr->tp_len, tp3_hdr->tp_mac, tp3_hdr->tp_snaplen, tp3_hdr->tp_sec, handle->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO ? tp3_hdr->tp_nsec : tp3_hdr->tp_nsec / 1000, (tp3_hdr->hv1.tp_vlan_tci || (tp3_hdr->tp_status & TP_STATUS_VLAN_VALID)), tp3_hdr->hv1.tp_vlan_tci, VLAN_TPID(tp3_hdr, &tp3_hdr->hv1)); if (ret == 1) { // 这种情况意味着成功捕获到一帧 pkts++; handlep->packets_read++; } else if (ret < 0) { // 这种情况意味着捕获该帧的过程中出现错误 handlep->current_packet = NULL; return ret; } // 准备读取该内存块中的下一帧 handlep->current_packet += tp3_hdr->tp_next_offset; handlep->packets_left--; } // 当一个内存块中的帧都被读取之后,需要把该内存块还给内核 if (handlep->packets_left <= 0) { h.h3->hdr.bh1.block_status = TP_STATUS_KERNEL; // 准备读取下一个内存块 if (++handle->offset >= handle->cc) handle->offset = 0; handlep->current_packet = NULL; } // 每次读完一个内存块后都会检查是否要求强制退出 if (handle->break_loop) { handle->break_loop = 0; return PCAP_ERROR_BREAK; } } // 如果该pcap句柄设置的超时为0,则会一直等待下去直到收到报文为止 if (pkts == 0 && handlep->timeout == 0) goto again; return pkts; } int pcap_handle_packet_mmap(...) { struct sockaddr_ll *sll; unsigned char *bp; struct pcap_pkthdr pcaphdr; // 确保帧长不超过阈值 if (tp_mac + tp_snaplen > handle->bufsize) return -1; bp = frame + tp_mac; sll = (void *)frame + TPACKET_ALIGN(handlep->tp_hdrlen); // 如果工作在加工模式,这在这里构建对应的伪头 if (handlep->cooked) { // 略 } // 如果该pcap句柄开启了用户级别过滤,就在这里进行过滤 if (handlep->filter_in_userland && handle->fcode.bf_insns) { // 略 } // 拒绝方向不匹配的包 if (!linux_check_direction(handle, sll)) return 0; // 记录包的基础信息 pcaphdr.ts.tv_sec = tp_sec; pcaphdr.ts.tv_usec = tp_usec; pcaphdr.caplen = tp_snaplen; pcaphdr.len = tp_len; // 如果工作在加工模式,两个长度字段还要加上伪头长 if (handlep->cooked) { pcaphdr.caplen += SLL_HDR_LEN; pcaphdr.len += SLL_HDR_LEN; } // 只有TPACKET_V2和TPACKET_V3才支持携带vlan信息,这里就是对vlan帧进行了复原 if (tp_vlan_tci_valid && handlep->vlan_offset != -1 && tp_snaplen >= (unsigned int) handlep->vlan_offset) { struct vlan_tag *tag; bp -= VLAN_TAG_LEN; memmove(bp, bp + VLAN_TAG_LEN, handlep->vlan_offset); tag = (struct vlan_tag *)(bp + handlep->vlan_offset); tag->vlan_tpid = htons(tp_vlan_tpid); tag->vlan_tci = htons(tp_vlan_tci); pcaphdr.caplen += VLAN_TAG_LEN; pcaphdr.len += VLAN_TAG_LEN; } // 如果用户空间收到了超出阈值长度的包,则截断 if (pcaphdr.caplen > (bpf_u_int32)handle->snapshot) pcaphdr.caplen = handle->snapshot; // 最后调用用户注册的捕获回调函数 callback(user, &pcaphdr, bp); return 1; }小结: 至此,基于TPACKET_V3模式的PACKET_MMAP机制已经分析完毕,至于libpcap中关于TPACKET_V1、TPACKET_V3模式的捕获流程不再做分析.
这里仅仅列出了V1、V2、V3这三种模式的差别:
TPACKET_V1 : 这是缺省的环形缓冲区版本
TPACKET_V2 : 相比V1的改进有以下几点
32位的用户空间环形缓冲区可以基于64位内核工作;
时间戳的精度从ms提升到ns;
支持携带VLAN信息(这意味着通过V1接收到的vlan包将会丢失vlan信息);
TPACKET_V3 : 相比V2的改进有以下几点
内存块可以配置成可变帧长(V1、V2的帧长都是tpacket_req.tp_frame_size固定值);
read/poll基于block-level(V1、V2基于packet_level);
开始支持poll超时参数;
新增了用户可配置选项:tp_retire_blk_tov等;
RX Hash数据可以被用户使用;
备注: 需要注意的是,V3当前只支持接收环形缓冲区.相关数据结构:
/* 创建TPACKET_V3环形缓冲区时对应的配置参数结构 * 备注: tpacket_req3结构是tpacket_req结构的超集,实际可以统一使用本结构去设置所有版本的环形缓冲区,V1/V2版本会自动忽略多余的字段 */ struct tpacket_req3 { unsigned int tp_block_size; // 每个连续内存块的最小尺寸(必须是 PAGE_SIZE * 2^n ) unsigned int tp_block_nr; // 内存块数量 unsigned int tp_frame_size; // 每个帧的大小(虽然V3中的帧长是可变的,但创建时还是会传入一个最大的允许值) unsigned int tp_frame_nr; // 帧的总个数(必须等于 每个内存块中的帧数量*内存块数量) unsigned int tp_retire_blk_tov; // 内存块的寿命(ms),超时后即使内存块没有被数据填入也会被内核停用,0意味着不设超时 unsigned int tp_sizeof_priv; // 每个内存块中私有空间大小,0意味着不设私有空间 unsigned int tp_feature_req_word;// 标志位集合(目前就支持1个标志 TP_FT_REQ_FILL_RXHASH) } // 开启PACKET_MMAP时libpcap对V1、V2、V3版本环形缓冲区的统一管理结构 union thdr { struct tpacket_hdr *h1; struct tpacket2_hdr *h2; struct tpacket_block_desc *h3; void *raw; } // TPACKET_V3环形缓冲区每个帧的头部结构 struct tpacket3_hdr { __u32 tp_next_offset; // 指向同一个内存块中的下一个帧 __u32 tp_sec; // 时间戳(s) __u32 tp_nsec; // 时间戳(ns) __u32 tp_snaplen; // 捕获到的帧实际长度 __u32 tp_len; // 帧的理论长度 __u32 tp_status; // 帧的状态 __u16 tp_mac; // 以太网MAC字段距离帧头的偏移量 __u16 tp_net; union { struct tpacket_hdr_variant1 hv1; // 包含vlan信息的子结构 }; __u8 tp_padding[8]; }
-
libpcap源码分析_从pcap_open_live说起
2018-09-06 21:16:54libpcap是跨平台网络数据包捕获函数库,本文将基于Linux平台对其源码以及核心原理进行深入分析 备注: 以下分析都基于libpcap-1.8.1版本进行 以下分析按照库的核心API为线索展开 以下分析源码时只列出核心逻辑 ... -
libpcap 源码解读
2009-11-11 11:02:00http://hi.baidu.com/suyupin/blog/item/c2b761123068140a5baf53fa.html http://hi.baidu.com/52hack/blog/item/4b915ce7eb7d5926b8382056.htmlhttp://industry.ccidnet.com/art/322/20050628/275739_4.htmlhttp -
libpcap源代码
2013-10-15 10:19:55libpcap源代码。 网络抓包API库, 网络流处理强大的库,0分分享! -
基于Linux平台的libpcap源码分析和优化
2015-03-26 10:23:00目录 1..... libpcap简介... 1 2..... libpcap捕包过程...... 2.1 数据包基本捕包流程......2.2 libpcap捕包过程......2.3 libpcap 1.3.0源码对照... 6 2.3.1 创建环形队列... 6 2.3.2 捕获数据包... 6... -
Linux下libpcap编程源码
2018-06-14 13:30:09以下是官网的一个实例源码,libpcap安装和测试,在我别我文里有。 #define APP_NAME "TEST01" #define APP_DESC "JUST TEST01 #define APP_COPYRIGHT "CREAT BY GogY" #define APP_DISCLAIMER "THERE ... -
libpcap 详解源代码
2015-04-02 20:08:44Linux 网络编程—— libpcap 详解,相关教程链接如下: http://blog.csdn.net/tennysonsky/article/details/44811899 -
Linux下Libpcap源码分析和包过虑机制
2012-01-20 08:31:18Linux下Libpcap源码分析和包过虑机制 2010年07月21日 Linux下Libpcap源码分析和包过虑机制 libpcap是Unix/Linux平台下的网络数据包捕获函数包,大多数网络监控软件都以它为基础.Libpcap可以在绝大多数类Unix... -
编译和使用Android平台下的libpcap和jpcap
2019-04-10 20:05:55本文导航〇、写在前面一、编译libpcap和jpcap1. 下载源代码1.1 libpcap1.2 jpcap2. 编译libpcap3. 编译jpcap二、Android APP使用jpcap 〇、写在前面 笔者一直想尝试编写Android平台的原声抓包APP,于是网上调研了些... -
Linux下Libpcap源码分析和包过滤机制 (4)
2012-07-19 13:44:26libpcap 解决这个问题的方法是在设置过滤器之前, 首先读完接收队列中所有的数据包。具体步骤如下。*/ /*为了避免无限循环的情况发生(反复的读数据包并丢弃, 但新的数据包不停的到达),首先设置一个过滤器,... -
libpcap:LIBpcap接口与各种内核数据包捕获机制-源码
2021-04-27 14:19:15该目录包含libpcap的源代码,libpcap是用于用户级数据包捕获的与系统无关的接口。 libpcap提供了用于底层网络监视的可移植框架。 应用程序包括网络统计信息收集,安全性监视,网络调试等。由于几乎每个系统供应商都... -
libpcapy:Python库可通过ctypes使用libpcap-源码
2021-05-10 13:46:44Libpcapy是libpcap的Python包装器, libpcap是用C编写的用于用户级数据包捕获的接口。 开发该库的动机是在使用Python进行编程时需要高性能的数据包嗅探器(具有较高的数据包处理速率)。 该项目使用ctypes库。 依存...
