dreamgirl_zdz 2013-09-25 03:08 采纳率: 0%
浏览 3922

怎么用C语言读取WireShark捕获的数据包文件

怎么用C语言读取WireShark捕获的数据包文件,要求能分析出以太网头部,Ip头部,TCP头部,并提取出数据部分,下面是我写的一段代码,但是读的不对,希望高手指点
//.pcap文件
//#ifndef xiaohouzi
//#define xiaohouzi
#ifndef LITTLE_ENDIAN
#define LITTLE_ENDIAN (1)
#include

typedef unsigned int bpf_u_int32;
typedef unsigned short u_short;
typedef int bpf_int32;
typedef unsigned char u_int8_t;
//////////////////////////////
typedef char int8_t;
//////////////////////////////
typedef unsigned short int u_int16_t;
typedef unsigned int u_int32_t;

typedef struct pcap_file_header
{
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;

bpf_int32 thiszone;
bpf_u_int32 sigfigs;
bpf_u_int32 snaplen;
bpf_u_int32 linktype;

}pcap_file_header;

typedef struct timestamp
{
bpf_u_int32 timestamp_s;
bpf_u_int32 timestamp_ms;
}timestamp;

typedef struct pcap_header
{
timestamp ts;
bpf_u_int32 capture_len;
bpf_u_int32 len;
}pcap_header;

typedef struct ether_header
{
u_int8_t ether_dhost[6]; //destination mac address
u_int8_t ether_shost[6]; //source mac address
u_int16_t ether_type; //ethernet type
}ether_header;

typedef u_int32_t in_addr_t;

// struct in_addr
//{
// in_addr_t s_addr;
//};
//total length : 20Bytes
typedef struct ip_hdr
{
#if LITTLE_ENDIAN
u_int8_t ihl:4; //
u_int8_t version:4; //version
#else
u_int8_t version:4;
u_int8_t ihr:4;
#endif

u_int8_t      tos;      //service type
u_int16_t     tos_len;  //total len
u_int16_t     id;       //
u_int16_t     frag_off; //offset
u_int8_t      ttl;      //live time
u_int8_t      protocol; //
u_int16_t     chk_sum;  //check sum
struct in_addr    src_IP;   //source ip
struct in_addr    dst_IP;   //destnation ip

}ip_hdr;

//total length : 20Bytes
typedef struct tcp_hdr
{
u_int16_t src_port; //source port
u_int16_t dst_port; //destination port
u_int8_t seq_no[4];
u_int8_t ack_no[4];
//u_int32_t seq_no; //
//u_int32_t ack_no; //
/*struct in_addr seq_no;
struct in_addr ack_no; */

//u_int8_t      reserved_1:4;
//u_int8_t      th1:4;      //tcp header length
//u_int8_t      flag:6;     
//u_int8_t      reserverd_2:2;
u_int8_t        length;//长度
u_int8_t        type;//ACK。FIN……


u_int8_t     wnd_size[2];       //16 bit windows 
u_int16_t     chk_sum;      //16 bits check sum ack,syn......
u_int16_t     urgt_p;       //16 urgent p

}tcp_hdr;

//total length :8 Bytes

//#endif
#endif

//.cpp文件
#include"pcap.h"
#include
#include
#include
#include
#include
//#include "C:\Users\Administrator\Desktop\zlib\zlib\src\zlib-1.2.3-src\src\zlib\1.2.3\zlib-1.2.3\zlib.h"
//#pragma comment(lib, "zlib1.lib")
#pragma comment(lib,"ws2_32.lib")
int count=0;
void main(/*int argc,char argv[]/)
{
pcap_header ph=(pcap_header)malloc(sizeof(pcap_header));
ether_header*eh=(ether_header*)malloc(sizeof(ether_header));
ip_hdr * iph=(ip_hdr*)malloc(sizeof(ip_hdr));
tcp_hdr tcph=(tcp_hdr)malloc(sizeof(tcp_hdr));
if(ph==NULL||eh==NULL||iph==NULL||tcph==NULL)
{
printf("内存分配失败\n");
return ;
}
/*打开文件*/
FILE pfile=fopen(/*filename/"1.pcap","rb");
if(pfile==NULL)
{
printf("open file failed!\n");
return ;
}
fseek(pfile,0,SEEK_SET);//将文件指针置于头部
/*跳过文件头*/
if( fseek(pfile,24,SEEK_SET)!=0)
{
printf("文件头跳过失败!\n");
exit(0);
return;
}
/*读取每个数据包进行分析*/
while(!feof(pfile))
{
ZeroMemory(ph,sizeof(pcap_header));
ZeroMemory(eh,sizeof(*eh));
ZeroMemory(iph,sizeof(*iph));
ZeroMemory(tcph,sizeof(*tcph));
count++;//读取的数据包计数
/*读取包头*/
if(!fread(ph,sizeof(pcap_header),1,pfile))
{
printf("读取数据包头失败\n");
break;
}
printf("数据包%d的长度是%d,数据包读取的时间是%f\n",count,ph->capture_len ,ph->ts .timestamp_ms 0.001+ph->ts .timestamp_s );
/读取以太网头*/
if(!feof(pfile))
{
if(!fread(eh,sizeof(*eh),1,pfile)/*||eh->ether_type !=0x0800*/)
{
printf("读取以太网头部失败\n");
break;
}
}
printf("源MAC地址是:0x%2x:0x%2x:0x%2x:0x%2x:0x%2x:0x%2x\n",eh->ether_shost[0],eh->ether_shost [1],eh->ether_shost [2],eh->ether_shost [3],eh->ether_shost [4],eh->ether_shost [5] );
printf("目的MAC地址是:0x%2x:0x%2x:0x%2x:0x%2x:0x%2x:0x%2x\n",eh->ether_dhost [0],eh->ether_dhost [1],eh->ether_dhost [2],eh->ether_dhost [3],eh->ether_dhost [4],eh->ether_dhost [5]);
/*读取IP头*/
if(!feof(pfile))
{
if(!fread(iph,sizeof(*iph),1,pfile)/*||iph->protocol !=6*/)
{
printf("读取IP头失败\n");
break;
}
}
printf("源IP地址:%s\n",inet_ntoa(iph->src_IP));
printf("目的IP地址:%s\n",inet_ntoa(iph->dst_IP ));
/*读取TCP头*/
if(!feof(pfile))
{
if(!fread(tcph,sizeof(*tcph),1,pfile))
{
printf("读取tcp头失败\n");
break;
}
}
printf("源端口:%d\n",tcph->src_port );
printf("目的端口:%d\n",tcph->dst_port );
if(ph->capture_len -54==0)//没有数据部分
{
continue;
}
else//存在数据部分,读取数据
{
unsigned char buf=(unsigned char)malloc(ph->capture_len -54);
if(buf==NULL)
{
printf("分配数据区域失败!\n");
break;
}
if(!feof(pfile))
{
if(!fread(buf,sizeof(unsigned char),ph->capture_len -54,pfile))
{
printf("读取数据失败\n");
break;
}
}
}
}//end while
/*释放资源*/
free(ph);
free(eh);
free(iph);
free(tcph);
fclose(pfile);
}

  • 写回答

1条回答 默认 最新

  • 你不懂4 2017-07-01 09:02
    关注

    同求
    请问您最后知道了如何使用C语言读取wireshark抓取的包吗?
    能告知我一声吗?
    谢谢!

    评论

报告相同问题?

悬赏问题

  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?
  • ¥15 求daily translation(DT)偏差订正方法的代码
  • ¥15 js调用html页面需要隐藏某个按钮
  • ¥15 ads仿真结果在圆图上是怎么读数的
  • ¥20 Cotex M3的调试和程序执行方式是什么样的?
  • ¥20 java项目连接sqlserver时报ssl相关错误
  • ¥15 一道python难题3