Tech Ideas

C++,Linux,Algorithm,Crypto,Lisp,etc

Libpcap试玩

libpcap驱动了tcpdump,和wireshark这类抓包工具.提供了高度灵活的包过滤语言. 据wikipedia,高性能的包过滤最早是在bsd上作为一个问题被解决,被称为bpf,在内核实现了一个解释器,进行包匹配,用户态提供一个字符设备, linux作为后来者,支持与bsd基本相同的packet filter,称为lpf,不同的是,linux是通过在一个raw socket来支持包过滤的,通过setsockopt来SO_ATTACH_FILTER,挂载过滤器. strace 可知,libpcap实际上进行了如下syscall:

socket(PF_PACKET, SOCK_RAW, 768) = 59 
setsockopt(59, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\0\0\0\0\0\0\250\327Vc\375\177\0\0", 16) = 0

libpcap的api文档和demo代码可以参见

  1. http://www.tcpdump.org/pcap3_man.html
  2. http://www.tcpdump.org/sniffex.c

参考文档了demo,我写了一个小的sniffer,

如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
class Sniffer{
public:
    Sniffer():handle(NULL),cap_exp(""),net_if("any"),exp_compiled(false){}
    ~Sniffer(){
        if(handle){
            pcap_freecode(&filter_code);
        }
        if(exp_compiled){
            pcap_close(handle);
        }
    }

    string help(){
        string h("avaliable net_interface:");
        pcap_if_t* alldev=NULL;
        if(0==pcap_findalldevs(&alldev, errbuf)){
            for(pcap_if_t * dev =alldev;NULL!=dev;dev=dev->next){
                h+=dev->name;
                h+=" ";
            }
            pcap_freealldevs(alldev);
        }
        char * default_if=pcap_lookupdev(errbuf);
        if(default_if){
            h+=" default interface:";
            h+=default_if;
        }
        return h;
    }

    string err(){
        return pcap_geterr(handle);
    }

    bool configure(const string & net_interface,const string & exp){
        if(net_interface!="")
            net_if=net_interface;
        cap_exp=exp;

        if(0!=pcap_lookupnet(net_if.data(),&netp,&maskp,errbuf)){
            return false;
        }

        handle=pcap_create(net_if.data(),errbuf);
        if(NULL==handle){
            return false;
        }
        if(0!=pcap_activate(handle)){
            return false;
        }
        //ignore:?
        //pcap_set_snaplen
        //pcap_set_promisc
        //pcap_set_rfmon
        //pcap_set_timeout
        //pcap_set_buffer_size
        //pcap_set_tstamp_type

        //only cap ethernet packet
        if(DLT_EN10MB!=pcap_datalink(handle)){
            return false;
        }

        if (0!=pcap_compile(handle, &filter_code, cap_exp.data(), 0, maskp)) {
            return false;
        }
        exp_compiled=true;

        if (0!=pcap_setfilter(handle, &filter_code)) {
            return false;
        }
    }

    bool loop(int pkg_num=-1){
        typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h,
                const u_char *bytes);
        pcap_loop(handle,pkg_num,&(Sniffer::pcap_callback),(u_char*)this);
    }

    static void pcap_callback(u_char *user, const struct pcap_pkthdr *h,
        const u_char *bytes){
    Sniffer * p_this=(Sniffer*) user;
    p_this->dispatch(h,bytes);
    }

private:

    void dispatch(const struct pcap_pkthdr *h, const u_char *bytes){
        got_packet(NULL,h,bytes);
    }

    private:
    pcap_t *handle;             // packet capture handle 
    string net_if; //e.g. "eth0"
    string cap_exp; //e.g "tcp and dst port 80"
    bool exp_compiled;
    struct bpf_program filter_code;         // compiled filter program (expression) 
    bpf_u_int32 netp;
    bpf_u_int32 maskp;
    char errbuf[PCAP_ERRBUF_SIZE];
};