【C语言】Linux平台下解析pcap文件

开发环境是readhat、ubuntu、kali

在wireshark上抓包需要使用 Wireshark/tcpdump/ 且文件后缀名为.pcap 方式保存

效果如下：

引入俩文件如下。

my_pcap.h

#pragma once
#include <netinet/in.h>#define PCAP_MAGIC 0xa1b2c3d4typedef struct pcap_file_header
{uint32_t magic;       /* 0xa1b2c3d4 */uint16_t version_major;   /* magjor Version 2 */uint16_t version_minor;   /* magjor Version 4 */uint32_t thiszone;      /* gmt to local correction */uint32_t sigfigs;     /* accuracy of timestamps */uint32_t snaplen;     /* max length saved portion of each pkt */uint32_t linktype;    /* data link type (LINKTYPE_*) */
}* PPCAP_HEADER;
#define PCAP_FILE_HEADER_LEN sizeof(struct pcap_file_header)typedef struct pcap_pkthdr
{uint32_t ts_sec;uint32_t ts_usec;uint32_t caplen; /* length of portion present */uint32_t len;    /* length this packet (off wire) */
}* PPCAP_PK_HEADER;
#define PCAP_PK_LEN sizeof(struct pcap_pkthdr)typedef struct pcap_each
{int pcap_len;int pos;char* pcap_data;
}* PPCAP_EACH;PPCAP_EACH create_pcap_each(char* data, int data_len);
int check_pcap(char* data,int data_len);
PPCAP_PK_HEADER get_first_pkg(PPCAP_EACH pcap_each);
PPCAP_PK_HEADER next_pkg(PPCAP_EACH pcap_each);
char* get_pkg_data(PPCAP_PK_HEADER pcap_pk_hdr, int* out_len);

my_pcap.c

#include "my_pcap.h"
#include <stdlib.h>int check_pcap(char* data,int data_len){PPCAP_HEADER pcap_hdr = (PPCAP_HEADER)data; if(pcap_hdr->magic == PCAP_MAGIC){return 1;}return 0;
}PPCAP_EACH create_pcap_each(char* data, int data_len){PPCAP_EACH pe = malloc(sizeof(struct pcap_each));pe->pos = 0;pe->pcap_data = data;pe->pcap_len = data_len;return pe;
}PPCAP_PK_HEADER get_first_pkg(PPCAP_EACH pcap_each){pcap_each->pos = PCAP_FILE_HEADER_LEN;return (PPCAP_PK_HEADER)(pcap_each->pcap_data + pcap_each->pos);
}PPCAP_PK_HEADER next_pkg(PPCAP_EACH pcap_each){PPCAP_PK_HEADER now_pkg = (PPCAP_PK_HEADER)(pcap_each->pcap_data + pcap_each->pos);pcap_each->pos += PCAP_PK_LEN + now_pkg->caplen;if(pcap_each->pos >= pcap_each->pcap_len){return 0;}PPCAP_PK_HEADER next_pkg = (PPCAP_PK_HEADER)(pcap_each->pcap_data + pcap_each->pos);return next_pkg;
}char* get_pkg_data(PPCAP_PK_HEADER pcap_pk_hdr, int* out_len){*out_len = pcap_pk_hdr->caplen;return ((char*)pcap_pk_hdr + PCAP_PK_LEN);
}

然后进行测试，测试代码如下：

int buffer_len = 0;
char* buffer = read_file("/home/kali/Desktop/pcap/your_pack.pcap", &buffer_len);
if(check_pcap(buffer, buffer_len) == 0){printf("file not is pcap file \n");return;
}
PPCAP_EACH peach = create_pcap_each(buffer, buffer_len);
PPCAP_PK_HEADER pkg = get_first_pkg(peach);
int data_len = 0;
char* data = 0;
for(;pkg != 0; pkg = next_pkg(peach)){data = get_pkg_data(pkg, &data_len);printf("data_len:%d \n", data_len);hexDump(data, data_len);
}
free(peach);
free(buffer);

其中的read_file方法和hexDump方法是需要自己写的。

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>char* read_file(char* path,int* out_len){int fd = open(path, O_RDONLY);struct stat st;stat(path, &st);*out_len = st.st_size;char* buffer = (char*)malloc(st.st_size);read(fd, buffer, st.st_size);close(fd);return buffer;
}

#include <stdio.h>
#include <stdlib.h>
#include <string.h>void hexDump(void* _buf, int len)
{if(len > 99999){printf("show len:%d >300 Byte. do not show. \n",len);return;}char* buf = (char*)_buf;if (len < 1 || buf == (void*)0) return;const char *hexChars = "0123456789ABCDEF";int i = 0;char c = 0x00;char str_print_able[17];char str_hex_buffer[16 * 3 + 1];for (i = 0; i < (len / 16) * 16; i += 16){int j = 0;for (j = 0; j < 16; j++){c = buf[i + j];// hexint z = j * 3;str_hex_buffer[z++] = hexChars[(c >> 4) & 0x0F];str_hex_buffer[z++] = hexChars[c & 0x0F];str_hex_buffer[z++] = (j < 10 && !((j + 1) % 8)) ? '_' : ' ';// string with space repalcedif (c < 32 || c == '\0' || c == '\t' || c == '\r' || c == '\n' || c == '\b')str_print_able[j] = '.';elsestr_print_able[j] = c;}str_hex_buffer[16 * 3] = 0x00;str_print_able[j] = 0x00;printf("%04x  %s %s\n", i, str_hex_buffer, str_print_able);}int leftSize = len % 16;if (leftSize < 1) return;int j = 0;int pos = i;for (; i < len; i++){c = buf[i];// hexint z = j * 3;str_hex_buffer[z++] = hexChars[(c >> 4) & 0x0F];str_hex_buffer[z++] = hexChars[c & 0x0F];str_hex_buffer[z++] = ' ';// string with space repalcedif (c < 32 || c == '\0' || c == '\t' || c == '\r' || c == '\n' || c == '\b')str_print_able[j] = '.';elsestr_print_able[j] = c;j++;}str_hex_buffer[leftSize * 3] = 0x00;str_print_able[j] = 0x00;for (j = leftSize; j < 16; j++){int z = j * 3;str_hex_buffer[z++] = ' ';str_hex_buffer[z++] = ' ';str_hex_buffer[z++] = ' ';}str_hex_buffer[16 * 3] = 0x00;printf("%04x  %s %s\n", pos, str_hex_buffer, str_print_able);
}

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.rhkb.cn/news/152027.html

如若内容造成侵权/违法违规/事实不符，请联系长河编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！