@xunuo
2017-07-21T17:03:27.000000Z
字数 15270
阅读 1414
网络数据包分析
dns的实现是在端口号=53的基础上的;然后就可以设定过滤条件为"port 53";只抓端口号为53的数据包;
#include "pcap.h"
#include<cstdlib>
#include<vector>
#include<string>
using namespace std;
/*ip地址*/
typedef struct ip_address
{
u_char byte1;
u_char byte2;
u_char byte3;
u_char byte4;
} ip_address;
/*以太网协议头*/
struct ether_header
{
u_int8_t ether_dhost[6]; //目的Mac地址
u_int8_t ether_shost[6]; //源Mac地址
u_int16_t ether_type; //协议类型
};
/*IPv4协议头*/
struct ip_header
{
#if defined(WORDS_BIENDIAN)
u_int8_t ip_version : 4, ip_header_length : 4;
#else
u_int8_t ip_header_length : 4, ip_version : 4;
#endif
u_int8_t ip_tos;
u_int16_t ip_length;
u_int16_t ip_id;
u_int16_t ip_off;
u_int8_t ip_ttl;
u_int8_t ip_protocol;
u_int16_t ip_checksum;
ip_address saddr; /*源地址(Source address)*/
ip_address daddr; /*目的地址(Destination address)*/
};
/*UDP协议头*/
struct udphdr
{
u_int16_t source_port; /*源地址端口*/
u_int16_t dest_port; /*目的地址端口*/
u_int16_t len; /*UDP长度*/
u_int16_t check; /*UDP校验和*/
};
//TCP协议头
#define __LITTLE_ENDIAN_BITFIELD
struct tcphdr
{
u_int16_t source_port; /*源地址端口*/
u_int16_t dest_port; /*目的地址端口*/
u_int32_t seq; /*序列号*/
u_int32_t ack_seq; /*确认序列号*/
u_int8_t tcp_header_length : 4;
#if defined(__LITTLE_ENDIAN_BITFIELD)
u_int16_t res1 : 4, /*保留*/
doff : 4, /*偏移*/
fin : 1, /*关闭连接标志*/
syn : 1, /*请求连接标志*/
rst : 1, /*重置连接标志*/
psh : 1, /*接收方尽快将数据放到应用层标志*/
ack : 1, /*确认序号标志*/
urg : 1, /*紧急指针标志*/
ece : 1, /*拥塞标志位*/
cwr : 1; /*拥塞标志位*/
#elif defined(__BIG_ENDIAN_BITFIELD)
u_int16_t doff : 4, /*偏移*/
res1 : 4, /*保留*/
cwr : 1, /*拥塞标志位*/
ece : 1, /*拥塞标志位*/
urg : 1, /*紧急指针标志*/
ack : 1, /*确认序号标志*/
psh : 1, /*接收方尽快将数据放到应用层标志*/
rst : 1, /*重置连接标志*/
syn : 1, /*请求连接标志*/
fin : 1; /*关闭连接标志*/
#else
u_int16_t flag;
#endif
u_int16_t window; /*滑动窗口大小*/
u_int16_t check; /*校验和*/
u_int16_t urg_ptr; /*紧急字段指针*/
};
struct queries
{
u_int16_t type;//类型;
u_int16_t clas;//采用的方法;
};
struct answers
{
u_int16_t nameoff;//有偏移域名所占的两个字节
u_int16_t type;
u_int16_t clas;
u_int32_t time;//生存时间
u_int16_t len;
};
struct authority
{
u_int16_t nameoff;
u_int16_t type;
u_int16_t clas;
u_int32_t time;
u_int16_t len;
};
/*DNS头*/
struct dnshdr
{
u_int16_t tra_id;//事务ID;
u_int16_t flag;//操作代码(0/1);
u_int16_t qes;//问题计数;
u_int16_t ansrrs;//回答RR数;
u_int16_t au_rrs;//权威RR数;
u_int16_t add_rrs;//附加RRs;
};
/*flag是位置,cnt是标签*/
int p=0;
void domainname(int &flag, int &cnt, int &j,const u_char* packet_content,char ansname[])
{
int num = packet_content[flag];
while (num > 0)
{
if (packet_content[flag] == 0xc0)//有偏移;
{
flag += 1;
int off = packet_content[flag];
domainname(off, cnt, j, packet_content, ansname);
if (p = 1)
break;
}
else
{
for (int i = 1; i <= num; i++)
{
ansname[j] = packet_content[flag + i];
j++;
if (i == num&&packet_content[flag + num + 1] != 0)
{
ansname[j] = '.';
j++;
}
}
flag += num + 1;
cnt++;
num = packet_content[flag];
}
}
if (num == 0)
p = 1;
}
void sixtoten(int &flag,int &num,const u_char* packet_content)
{
int m = 16777216;//(m=16^6)
for (int i = 0; i < 4; i++)
{
//printf("%02x %d\n", packet_content[flag + i], packet_content[flag + i]);
int number = packet_content[flag + i];
num += number*m;
m /= 256;
}
flag += 4;
}
void dns_protool_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content)
{
struct dnshdr *dns_protocol;
dns_protocol = (struct dnshdr *) packet_content;
printf("---------DNS---------\n");
if (ntohs(dns_protocol->flag) == 0x0100)
printf("请求报文\n");
else
printf("应答报文\n");
printf("DNS ID:%04x\n", ntohs(dns_protocol->tra_id));
printf("操作代码:%04x\n", ntohs(dns_protocol->flag));
printf("问题计数:%d\n", ntohs(dns_protocol->qes));
printf("回答RR数:%d\n", ntohs(dns_protocol->ansrrs));
printf("权威RR数:%d\n", ntohs(dns_protocol->au_rrs));
printf("附加RR数:%d\n", ntohs(dns_protocol->add_rrs));
struct queries *dns_que;
const u_char* dns_packet_content;
char name[200];
memset(name, 0, sizeof(name));
int quenum = ntohs(dns_protocol->qes);
int flag = 12;
/*---------Queries:------*/
while (quenum--)
{
int cnt = 0, j = 0;
printf("---------Queries:------\n");
domainname(flag, cnt, j, packet_content,name);
printf("域名(Name):%s\n", name);
printf("域名长度(Name Length):%d\n", j);
printf("标签长度(Label Count):%d\n", cnt);
dns_packet_content = packet_content + 12 + 2 + j;
dns_que = (struct queries *) dns_packet_content;
printf("type:%04x\n", ntohs(dns_que->type));
printf("Class:%04x\n", ntohs(dns_que->clas));
flag += 4 + 1;
}
/*---------Answers:------*/
int ansnum = ntohs(dns_protocol->ansrrs);
if (ansnum > 0)
{
printf("---------Answers:------\n");
int off1;
while (ansnum--)
{
struct answers *dns_ans;
const u_char* dns_ans_packet_content;
dns_ans_packet_content = packet_content + flag;
dns_ans = (struct answers *) dns_ans_packet_content;
char ansname[200];
memset(ansname, 0, sizeof(ansname));
int cnt = 0;
int j = 0;
flag += 1;
off1 = packet_content[flag];
/*printf("off1:%02x\n", off1);*/
domainname(off1, cnt, j, packet_content,ansname);
/*printf("flag:%d\n", flag);*/
printf("域名(Ansname):%s\n", ansname);
printf("类型(Type):%04x\n", ntohs(dns_ans->type));
printf("类(Class):%04x\n", ntohs(dns_ans->clas));
printf("生存时间(Time to live):%08x\n", ntohs(dns_ans->time));
flag += 10;
printf("数据长度(Data length):%d\n",packet_content[flag]);
if (packet_content[ flag] == 4)//Address
{
struct ip_address *dns_add;
const u_char* dns_add_packet_content;
flag += 1;
dns_add_packet_content = packet_content + flag;
dns_add = (struct ip_address *) dns_add_packet_content;
printf("地址(Adress):%d.%d.%d.%d\n", dns_add->byte1, dns_add->byte2, dns_add->byte3, dns_add->byte4);
flag += 4;
printf("--------------------\n");
}
else//域名
{
char cname[200];
memset(cname, 0, sizeof(cname));
flag+=1;
printf("flag and packet:%d %02x\n", flag, packet_content[flag]);
int j = cnt = 0;
domainname(flag, cnt, j, packet_content,cname);
printf("域名(Cname):%s\n", cname);
flag += 1;
/*printf("flag::::%d\n", flag);*/
printf("--------------------\n");
}
}
}
/*---------Authoritative nameservers:------*/
int authonum = ntohs(dns_protocol->au_rrs);
if (authonum > 0)
{
printf("---------Authoritative nameservers:------\n");
int off1;
while (authonum--)
{
struct authority *dns_aut;
const u_char* dns_aut_packet_content;
dns_aut_packet_content = packet_content + flag;
dns_aut = (struct authority *) dns_aut_packet_content;
char autname[200];
memset(autname, 0, sizeof(autname));
int cnt = 0;
int j = 0;
flag += 1;
off1 = packet_content[flag];
/*printf("off1:%02x\n", off1);*/
if (off1 == 0)
{
autname[0] = '<';
autname[1] = 'R';
autname[2] = 'o';
autname[3] = 'o';
autname[4] = 't';
autname[5] = '>';
flag += 1;
}
else
domainname(off1, cnt, j, packet_content, autname);
/*printf("flag:%d\n", flag);*/
printf("域名(Ansname):%s\n", autname);
printf("类型(Type):%04x\n", ntohs(dns_aut->type));
printf("类(Class):%04x\n", ntohs(dns_aut->clas));
printf("生存时间(Time to live):%08x\n", ntohs(dns_aut->time));
flag += 10;
/*printf("flag:%d\n", flag);*/
printf("数据长度(Data length):%d\n", packet_content[flag]);
if (packet_content[flag] == 4)//Address
{
struct ip_address *dns_add;
const u_char* dns_add_packet_content;
flag += 1;
dns_add_packet_content = packet_content + flag;
dns_add = (struct ip_address *) dns_add_packet_content;
printf("地址(Adress):%d.%d.%d.%d\n", dns_add->byte1, dns_add->byte2, dns_add->byte3, dns_add->byte4);
flag += 4;
//printf("--------------------\n");
}
else//域名
{
char cname[200];
memset(cname, 0, sizeof(cname));
flag += 1;
/*printf("flag and packet:%d %02x\n", flag, packet_content[flag]);*/
int j = cnt = 0;
domainname(flag, cnt, j, packet_content, cname);
printf("Primary name server:%s\n", cname);
flag += 1;
/*printf("flag:%d\n", flag);*/
//printf("--------------------\n");
}
char mail[200];
memset(mail, 0, sizeof(mail));
printf("flag and packet:%d %02x\n", flag, packet_content[flag]);
j = cnt = 0;
domainname(flag, cnt, j, packet_content, mail);
printf("Responsible authority's mailbox:%s\n", mail);
flag += 1;
printf("flag:%d\n", flag);
int serialnum = 0;
sixtoten(flag, serialnum, packet_content);
printf("Seral Number:%d\n", serialnum);
int refreshint = 0;
sixtoten(flag, refreshint, packet_content);
printf("Refresh Interval:%d\n", refreshint);
int retyinterval = 0;
sixtoten(flag, retyinterval, packet_content);
printf("Retry Interval:%d\n", retyinterval);
int expirelimit = 0;
sixtoten(flag, expirelimit, packet_content);
printf("Expire limit:%d\n", expirelimit);
int mimimunttl = 0;
sixtoten(flag, mimimunttl, packet_content);
printf("Mininum TTL:%d\n", mimimunttl);
}
}
/*---------Additional records------*/
int addnum = ntohs(dns_protocol->add_rrs);
if (addnum > 0)
{
printf("---------Additional records:------\n");
int off1;
while (addnum--)
{
struct authority *dns_add;
const u_char* dns_add_packet_content;
/*printf("flag:%d\n", flag);*/
dns_add_packet_content = packet_content + flag;
dns_add = (struct authority *) dns_add_packet_content;
char autname[200];
memset(autname, 0, sizeof(autname));
int cnt = 0;
int j = 0;
flag += 1;
off1 = packet_content[flag];
/*printf("off1:%02x\n", off1);*/
domainname(off1, cnt, j, packet_content, autname);
/*printf("flag:%d\n", flag);*/
printf("域名(Ansname):%s\n", autname);
printf("类型(Type):%04x\n", ntohs(dns_add->type));
printf("类(Class):%04x\n", ntohs(dns_add->clas));
printf("生存时间(Time to live):%08x\n", ntohs(dns_add->time));
flag += 10;
printf("数据长度(Data length):%d\n", packet_content[flag]);
if (packet_content[flag] == 4)//Address
{
struct ip_address *dns_add;
const u_char* dns_add_packet_content;
flag += 1;
dns_add_packet_content = packet_content + flag;
dns_add = (struct ip_address *) dns_add_packet_content;
printf("地址(Adress):%d.%d.%d.%d\n", dns_add->byte1, dns_add->byte2, dns_add->byte3, dns_add->byte4);
flag += 4;
printf("--------------------\n");
}
else//域名
{
char cname[200];
memset(cname, 0, sizeof(cname));
flag += 1;
/*printf("flag and packet:%d %02x\n", flag, packet_content[flag]);*/
int j = cnt = 0;
domainname(flag, cnt, j, packet_content, cname);
printf("域名(Cname):%s\n", cname);
flag += 1;
/*printf("flag::::%d\n", flag);*/
printf("--------------------\n");
}
}
}
}
//UDP协议分析
void udp_protool_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content)
{
struct udphdr *udp_protocol;
u_int header_length = 0;
u_int16_t checksum;
udp_protocol = (struct udphdr *) packet_content;
checksum = ntohs(udp_protocol->check);
u_int16_t source_port; /*源地址端口*/
u_int16_t dest_port; /*目的地址端口*/
u_int16_t len; /*UDP长度*/
u_int16_t check; /*UDP校验和*/
printf("---------UDP协议---------\n");
printf("源端口:%d\n", ntohs(udp_protocol->source_port));
printf("目的端口:%d\n", ntohs(udp_protocol->dest_port));
printf("UDP数据包长度:%d\n", ntohs(udp_protocol->len));
printf("UDP校验和:%d\n", checksum);
if (ntohs(udp_protocol->source_port) == 53 || ntohs(udp_protocol->dest_port) == 53)
{
//printf("dns data:\n%s\n", packet_content + sizeof(udphdr));
dns_protool_packet_callback(argument, packet_header, packet_content + sizeof(udphdr));
}
}
//TCP协议分析
void tcp_protool_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content)
{
struct tcphdr *tcp_protocol;
u_int header_length = 0;
u_int offset;
u_char tos;
u_int16_t checksum;
tcp_protocol = (struct tcphdr *) packet_content;
checksum = ntohs(tcp_protocol->check);
printf("---------TCP协议---------\n");
printf("源端口:%d\n", ntohs(tcp_protocol->source_port));
printf("目的端口:%d\n", ntohs(tcp_protocol->dest_port));
printf("SEQ:%d\n", ntohl(tcp_protocol->seq));
printf("ACK SEQ:%d\n", ntohl(tcp_protocol->ack_seq));
printf("TCP校验和:%d\n", checksum);
if (ntohs(tcp_protocol->source_port) == 80 || ntohs(tcp_protocol->dest_port) == 80)//http协议
printf("http data:\n%s\n", packet_content + sizeof(tcphdr));
}
//IP协议分析
void ip_protool_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content)
{
struct ip_header *ip_protocol;
u_int offset;
u_char tos;
u_int16_t checksum;
ip_protocol = (struct ip_header *)packet_content;
checksum = ntohs(ip_protocol->ip_checksum);
tos = ip_protocol->ip_tos;
offset = ntohs(ip_protocol->ip_off);
printf("---------IP协议---------\n");
printf("版本号:%d\n", ip_protocol->ip_version);
printf("首部长度:%d %d\n", ip_protocol->ip_header_length, sizeof(ip_header));
printf("服务质量:%d\n", tos);
printf("总长度:%d\n", ntohs(ip_protocol->ip_length));
printf("标识:%d\n", ntohs(ip_protocol->ip_id));
printf("偏移:%d\n", (offset & 0x1fff) * 8);
printf("生存时间:%d\n", ip_protocol->ip_ttl);
printf("协议类型:%d\n", ip_protocol->ip_protocol);
printf("检验和:%d\n", checksum);
printf("源IP地址:%d.%d.%d.%d\n", ip_protocol->saddr.byte1, ip_protocol->saddr.byte2, ip_protocol->saddr.byte3, ip_protocol->saddr.byte4);
printf("目的地址:%d.%d.%d.%d\n", ip_protocol->daddr.byte1, ip_protocol->daddr.byte2, ip_protocol->daddr.byte3, ip_protocol->daddr.byte4);
switch (ip_protocol->ip_protocol)
{
case 1: printf("上层协议是ICMP协议\n"); break;
case 2: printf("上层协议是IGMP协议\n"); break;
case 6:
{
printf("上层协议是TCP协议\n");
tcp_protool_packet_callback(argument, packet_header, packet_content + sizeof(ip_header));
}
break;
case 17:
{
printf("上层协议是UDP协议\n");
udp_protool_packet_callback(argument, packet_header, packet_content + sizeof(ip_header));
}
break;
default:break;
}
}
//以太网协议分析
void ethernet_protocol_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content)
{
u_short ethernet_type;
struct ether_header *ethernet_protocol;
u_char *mac_string;
static int packet_number = 1;
printf("----------------------------------------------\n");
printf("捕获第%d个网络数据包\n", packet_number);
printf("该数据包的具体内容:\n");
for (int i = 1; i <= packet_header->len; i++)
{
printf("%02x(%d) ", packet_content[i - 1],i-1-42);
if (i % 8 == 0)
printf(" ");
if (i % 16 == 0)
printf("\n");
}
printf("\n");
printf("数据包长度:%d\n", packet_header->len);
printf("---------以太网协议---------\n");
ethernet_protocol = (struct ether_header*)packet_content;//获得数据包内容
ethernet_type = ntohs(ethernet_protocol->ether_type);//获得以太网类型
printf("以太网类型:%04x\n", ethernet_type);
mac_string = ethernet_protocol->ether_shost;
printf("MAC帧源地址:%02x:%02x:%02x:%02x:%02x:%02x\n", *mac_string, *(mac_string + 1), *(mac_string + 2), *(mac_string + 3), *(mac_string + 4), *(mac_string + 5));
mac_string = ethernet_protocol->ether_dhost;
printf("MAC帧目的地址:%02x:%02x:%02x:%02x:%02x:%02x\n", *mac_string, *(mac_string + 1), *(mac_string + 2), *(mac_string + 3), *(mac_string + 4), *(mac_string + 5));
switch (ethernet_type)
{
case 0x0800:
{
printf("上层协议是IPv4协议\n");
ip_protool_packet_callback(argument, packet_header, packet_content + sizeof(ether_header));
}
break;
case 0x0806:
printf("上层协议是ARP协议\n");
break;
case 0x8035:
printf("上层协议是RARP协议\n");
break;
case 0x814C:
printf("上层协议是简单网络管理协议SNMP\n");
break;
case 0x8137:
printf("上层协议是因特网包交换(IPX:Internet Packet Exchange)\n");
break;
case 0x86DD:
printf("上层协议是IPv6协议\n");
break;
case 0x880B:
printf("上层协议是点对点协议(PPP:Point-to-Point Protocol)\n");
break;
default:break;
}
printf("----------------------------------------------\n");
packet_number++;
}
int main()
{
pcap_if_t * allAdapters; //适配器列表
pcap_if_t * adapter; //跑适配器列表
pcap_t * adapterHandle; //适配器句柄
//char error_content[PCAP_ERRBUF_SIZE]; //存储错误信息
bpf_u_int32 net_mask = 0; //掩码地址
bpf_u_int32 net_ip = 0; //网络地址
char *net_interface; //网络接口
struct bpf_program bpf_filter; //BPF过滤规则
char bpf_filter_string[] = "port 53"; //过滤规则字符串,只分析IPv4的数据包
char errorBuffer[PCAP_ERRBUF_SIZE]; //错误信息缓冲区
if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &allAdapters, errorBuffer) == -1) //检索机器连接的所有网络适配器
{
fprintf(stderr, "Error in pcap_findalldevs_ex function: %s\n", errorBuffer);
return -1;
}
if (allAdapters == NULL) //不存在任何适配器
{
printf("\nNo adapters found! Make sure WinPcap is installed.\n");
return 0;
}
int crtAdapter = 0;
for (adapter = allAdapters; adapter != NULL; adapter = adapter->next)
{ //遍历输入适配器信息(名称和描述信息)
printf("\n%d.%s ", ++crtAdapter, adapter->name);
printf("-- %s\n", adapter->description);
}
printf("\n");
int adapterNumber;
printf("Enter the adapter number between 1 and %d:", crtAdapter);//选择要捕获数据包的适配器
scanf_s("%d", &adapterNumber);
if (adapterNumber < 1 || adapterNumber > crtAdapter)
{
printf("\nAdapter number out of range.\n");
pcap_freealldevs(allAdapters);// 释放适配器列表
return -1;
}
adapter = allAdapters;
for (crtAdapter = 0; crtAdapter < adapterNumber - 1; crtAdapter++)
adapter = adapter->next;
adapterHandle = pcap_open(adapter->name, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errorBuffer);// 打开指定适配器
if (adapterHandle == NULL)//指定适配器打开失败
{
fprintf(stderr, "\nUnable to open the adapter\n", adapter->name);
pcap_freealldevs(allAdapters);// 释放适配器列表
return -1;
}
char errbuf[2048];
pcap_createsrcstr(NULL, 0, NULL, "80", NULL, errbuf);
printf("\nCapture session started on adapter %s\n", adapter->name);
pcap_freealldevs(allAdapters);//释放适配器列表
pcap_compile(adapterHandle, &bpf_filter, bpf_filter_string, 0, net_ip); //编译过滤规则
pcap_setfilter(adapterHandle, &bpf_filter);//设置过滤规则
if (pcap_datalink(adapterHandle) != DLT_EN10MB) //DLT_EN10MB表示以太网
return 0;
pcap_loop(adapterHandle, 100, ethernet_protocol_packet_callback, NULL); //捕获65536个数据包进行分析
pcap_close(adapterHandle);
return 0;
}