@xunuo
2017-07-21T17:03:27.000000Z
字数 15270
阅读 1414
网络数据包分析
dns的实现是在端口号=53的基础上的;然后就可以设定过滤条件为"port 53";只抓端口号为53的数据包;
#include "pcap.h"#include<cstdlib>#include<vector>#include<string>using namespace std;/*ip地址*/typedef struct ip_address{u_char byte1;u_char byte2;u_char byte3;u_char byte4;} ip_address;/*以太网协议头*/struct ether_header{u_int8_t ether_dhost[6]; //目的Mac地址u_int8_t ether_shost[6]; //源Mac地址u_int16_t ether_type; //协议类型};/*IPv4协议头*/struct ip_header{#if defined(WORDS_BIENDIAN)u_int8_t ip_version : 4, ip_header_length : 4;#elseu_int8_t ip_header_length : 4, ip_version : 4;#endifu_int8_t ip_tos;u_int16_t ip_length;u_int16_t ip_id;u_int16_t ip_off;u_int8_t ip_ttl;u_int8_t ip_protocol;u_int16_t ip_checksum;ip_address saddr; /*源地址(Source address)*/ip_address daddr; /*目的地址(Destination address)*/};/*UDP协议头*/struct udphdr{u_int16_t source_port; /*源地址端口*/u_int16_t dest_port; /*目的地址端口*/u_int16_t len; /*UDP长度*/u_int16_t check; /*UDP校验和*/};//TCP协议头#define __LITTLE_ENDIAN_BITFIELDstruct tcphdr{u_int16_t source_port; /*源地址端口*/u_int16_t dest_port; /*目的地址端口*/u_int32_t seq; /*序列号*/u_int32_t ack_seq; /*确认序列号*/u_int8_t tcp_header_length : 4;#if defined(__LITTLE_ENDIAN_BITFIELD)u_int16_t res1 : 4, /*保留*/doff : 4, /*偏移*/fin : 1, /*关闭连接标志*/syn : 1, /*请求连接标志*/rst : 1, /*重置连接标志*/psh : 1, /*接收方尽快将数据放到应用层标志*/ack : 1, /*确认序号标志*/urg : 1, /*紧急指针标志*/ece : 1, /*拥塞标志位*/cwr : 1; /*拥塞标志位*/#elif defined(__BIG_ENDIAN_BITFIELD)u_int16_t doff : 4, /*偏移*/res1 : 4, /*保留*/cwr : 1, /*拥塞标志位*/ece : 1, /*拥塞标志位*/urg : 1, /*紧急指针标志*/ack : 1, /*确认序号标志*/psh : 1, /*接收方尽快将数据放到应用层标志*/rst : 1, /*重置连接标志*/syn : 1, /*请求连接标志*/fin : 1; /*关闭连接标志*/#elseu_int16_t flag;#endifu_int16_t window; /*滑动窗口大小*/u_int16_t check; /*校验和*/u_int16_t urg_ptr; /*紧急字段指针*/};struct queries{u_int16_t type;//类型;u_int16_t clas;//采用的方法;};struct answers{u_int16_t nameoff;//有偏移域名所占的两个字节u_int16_t type;u_int16_t clas;u_int32_t time;//生存时间u_int16_t len;};struct authority{u_int16_t nameoff;u_int16_t type;u_int16_t clas;u_int32_t time;u_int16_t len;};/*DNS头*/struct dnshdr{u_int16_t tra_id;//事务ID;u_int16_t flag;//操作代码(0/1);u_int16_t qes;//问题计数;u_int16_t ansrrs;//回答RR数;u_int16_t au_rrs;//权威RR数;u_int16_t add_rrs;//附加RRs;};/*flag是位置,cnt是标签*/int p=0;void domainname(int &flag, int &cnt, int &j,const u_char* packet_content,char ansname[]){int num = packet_content[flag];while (num > 0){if (packet_content[flag] == 0xc0)//有偏移;{flag += 1;int off = packet_content[flag];domainname(off, cnt, j, packet_content, ansname);if (p = 1)break;}else{for (int i = 1; i <= num; i++){ansname[j] = packet_content[flag + i];j++;if (i == num&&packet_content[flag + num + 1] != 0){ansname[j] = '.';j++;}}flag += num + 1;cnt++;num = packet_content[flag];}}if (num == 0)p = 1;}void sixtoten(int &flag,int &num,const u_char* packet_content){int m = 16777216;//(m=16^6)for (int i = 0; i < 4; i++){//printf("%02x %d\n", packet_content[flag + i], packet_content[flag + i]);int number = packet_content[flag + i];num += number*m;m /= 256;}flag += 4;}void dns_protool_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content){struct dnshdr *dns_protocol;dns_protocol = (struct dnshdr *) packet_content;printf("---------DNS---------\n");if (ntohs(dns_protocol->flag) == 0x0100)printf("请求报文\n");elseprintf("应答报文\n");printf("DNS ID:%04x\n", ntohs(dns_protocol->tra_id));printf("操作代码:%04x\n", ntohs(dns_protocol->flag));printf("问题计数:%d\n", ntohs(dns_protocol->qes));printf("回答RR数:%d\n", ntohs(dns_protocol->ansrrs));printf("权威RR数:%d\n", ntohs(dns_protocol->au_rrs));printf("附加RR数:%d\n", ntohs(dns_protocol->add_rrs));struct queries *dns_que;const u_char* dns_packet_content;char name[200];memset(name, 0, sizeof(name));int quenum = ntohs(dns_protocol->qes);int flag = 12;/*---------Queries:------*/while (quenum--){int cnt = 0, j = 0;printf("---------Queries:------\n");domainname(flag, cnt, j, packet_content,name);printf("域名(Name):%s\n", name);printf("域名长度(Name Length):%d\n", j);printf("标签长度(Label Count):%d\n", cnt);dns_packet_content = packet_content + 12 + 2 + j;dns_que = (struct queries *) dns_packet_content;printf("type:%04x\n", ntohs(dns_que->type));printf("Class:%04x\n", ntohs(dns_que->clas));flag += 4 + 1;}/*---------Answers:------*/int ansnum = ntohs(dns_protocol->ansrrs);if (ansnum > 0){printf("---------Answers:------\n");int off1;while (ansnum--){struct answers *dns_ans;const u_char* dns_ans_packet_content;dns_ans_packet_content = packet_content + flag;dns_ans = (struct answers *) dns_ans_packet_content;char ansname[200];memset(ansname, 0, sizeof(ansname));int cnt = 0;int j = 0;flag += 1;off1 = packet_content[flag];/*printf("off1:%02x\n", off1);*/domainname(off1, cnt, j, packet_content,ansname);/*printf("flag:%d\n", flag);*/printf("域名(Ansname):%s\n", ansname);printf("类型(Type):%04x\n", ntohs(dns_ans->type));printf("类(Class):%04x\n", ntohs(dns_ans->clas));printf("生存时间(Time to live):%08x\n", ntohs(dns_ans->time));flag += 10;printf("数据长度(Data length):%d\n",packet_content[flag]);if (packet_content[ flag] == 4)//Address{struct ip_address *dns_add;const u_char* dns_add_packet_content;flag += 1;dns_add_packet_content = packet_content + flag;dns_add = (struct ip_address *) dns_add_packet_content;printf("地址(Adress):%d.%d.%d.%d\n", dns_add->byte1, dns_add->byte2, dns_add->byte3, dns_add->byte4);flag += 4;printf("--------------------\n");}else//域名{char cname[200];memset(cname, 0, sizeof(cname));flag+=1;printf("flag and packet:%d %02x\n", flag, packet_content[flag]);int j = cnt = 0;domainname(flag, cnt, j, packet_content,cname);printf("域名(Cname):%s\n", cname);flag += 1;/*printf("flag::::%d\n", flag);*/printf("--------------------\n");}}}/*---------Authoritative nameservers:------*/int authonum = ntohs(dns_protocol->au_rrs);if (authonum > 0){printf("---------Authoritative nameservers:------\n");int off1;while (authonum--){struct authority *dns_aut;const u_char* dns_aut_packet_content;dns_aut_packet_content = packet_content + flag;dns_aut = (struct authority *) dns_aut_packet_content;char autname[200];memset(autname, 0, sizeof(autname));int cnt = 0;int j = 0;flag += 1;off1 = packet_content[flag];/*printf("off1:%02x\n", off1);*/if (off1 == 0){autname[0] = '<';autname[1] = 'R';autname[2] = 'o';autname[3] = 'o';autname[4] = 't';autname[5] = '>';flag += 1;}elsedomainname(off1, cnt, j, packet_content, autname);/*printf("flag:%d\n", flag);*/printf("域名(Ansname):%s\n", autname);printf("类型(Type):%04x\n", ntohs(dns_aut->type));printf("类(Class):%04x\n", ntohs(dns_aut->clas));printf("生存时间(Time to live):%08x\n", ntohs(dns_aut->time));flag += 10;/*printf("flag:%d\n", flag);*/printf("数据长度(Data length):%d\n", packet_content[flag]);if (packet_content[flag] == 4)//Address{struct ip_address *dns_add;const u_char* dns_add_packet_content;flag += 1;dns_add_packet_content = packet_content + flag;dns_add = (struct ip_address *) dns_add_packet_content;printf("地址(Adress):%d.%d.%d.%d\n", dns_add->byte1, dns_add->byte2, dns_add->byte3, dns_add->byte4);flag += 4;//printf("--------------------\n");}else//域名{char cname[200];memset(cname, 0, sizeof(cname));flag += 1;/*printf("flag and packet:%d %02x\n", flag, packet_content[flag]);*/int j = cnt = 0;domainname(flag, cnt, j, packet_content, cname);printf("Primary name server:%s\n", cname);flag += 1;/*printf("flag:%d\n", flag);*///printf("--------------------\n");}char mail[200];memset(mail, 0, sizeof(mail));printf("flag and packet:%d %02x\n", flag, packet_content[flag]);j = cnt = 0;domainname(flag, cnt, j, packet_content, mail);printf("Responsible authority's mailbox:%s\n", mail);flag += 1;printf("flag:%d\n", flag);int serialnum = 0;sixtoten(flag, serialnum, packet_content);printf("Seral Number:%d\n", serialnum);int refreshint = 0;sixtoten(flag, refreshint, packet_content);printf("Refresh Interval:%d\n", refreshint);int retyinterval = 0;sixtoten(flag, retyinterval, packet_content);printf("Retry Interval:%d\n", retyinterval);int expirelimit = 0;sixtoten(flag, expirelimit, packet_content);printf("Expire limit:%d\n", expirelimit);int mimimunttl = 0;sixtoten(flag, mimimunttl, packet_content);printf("Mininum TTL:%d\n", mimimunttl);}}/*---------Additional records------*/int addnum = ntohs(dns_protocol->add_rrs);if (addnum > 0){printf("---------Additional records:------\n");int off1;while (addnum--){struct authority *dns_add;const u_char* dns_add_packet_content;/*printf("flag:%d\n", flag);*/dns_add_packet_content = packet_content + flag;dns_add = (struct authority *) dns_add_packet_content;char autname[200];memset(autname, 0, sizeof(autname));int cnt = 0;int j = 0;flag += 1;off1 = packet_content[flag];/*printf("off1:%02x\n", off1);*/domainname(off1, cnt, j, packet_content, autname);/*printf("flag:%d\n", flag);*/printf("域名(Ansname):%s\n", autname);printf("类型(Type):%04x\n", ntohs(dns_add->type));printf("类(Class):%04x\n", ntohs(dns_add->clas));printf("生存时间(Time to live):%08x\n", ntohs(dns_add->time));flag += 10;printf("数据长度(Data length):%d\n", packet_content[flag]);if (packet_content[flag] == 4)//Address{struct ip_address *dns_add;const u_char* dns_add_packet_content;flag += 1;dns_add_packet_content = packet_content + flag;dns_add = (struct ip_address *) dns_add_packet_content;printf("地址(Adress):%d.%d.%d.%d\n", dns_add->byte1, dns_add->byte2, dns_add->byte3, dns_add->byte4);flag += 4;printf("--------------------\n");}else//域名{char cname[200];memset(cname, 0, sizeof(cname));flag += 1;/*printf("flag and packet:%d %02x\n", flag, packet_content[flag]);*/int j = cnt = 0;domainname(flag, cnt, j, packet_content, cname);printf("域名(Cname):%s\n", cname);flag += 1;/*printf("flag::::%d\n", flag);*/printf("--------------------\n");}}}}//UDP协议分析void udp_protool_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content){struct udphdr *udp_protocol;u_int header_length = 0;u_int16_t checksum;udp_protocol = (struct udphdr *) packet_content;checksum = ntohs(udp_protocol->check);u_int16_t source_port; /*源地址端口*/u_int16_t dest_port; /*目的地址端口*/u_int16_t len; /*UDP长度*/u_int16_t check; /*UDP校验和*/printf("---------UDP协议---------\n");printf("源端口:%d\n", ntohs(udp_protocol->source_port));printf("目的端口:%d\n", ntohs(udp_protocol->dest_port));printf("UDP数据包长度:%d\n", ntohs(udp_protocol->len));printf("UDP校验和:%d\n", checksum);if (ntohs(udp_protocol->source_port) == 53 || ntohs(udp_protocol->dest_port) == 53){//printf("dns data:\n%s\n", packet_content + sizeof(udphdr));dns_protool_packet_callback(argument, packet_header, packet_content + sizeof(udphdr));}}//TCP协议分析void tcp_protool_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content){struct tcphdr *tcp_protocol;u_int header_length = 0;u_int offset;u_char tos;u_int16_t checksum;tcp_protocol = (struct tcphdr *) packet_content;checksum = ntohs(tcp_protocol->check);printf("---------TCP协议---------\n");printf("源端口:%d\n", ntohs(tcp_protocol->source_port));printf("目的端口:%d\n", ntohs(tcp_protocol->dest_port));printf("SEQ:%d\n", ntohl(tcp_protocol->seq));printf("ACK SEQ:%d\n", ntohl(tcp_protocol->ack_seq));printf("TCP校验和:%d\n", checksum);if (ntohs(tcp_protocol->source_port) == 80 || ntohs(tcp_protocol->dest_port) == 80)//http协议printf("http data:\n%s\n", packet_content + sizeof(tcphdr));}//IP协议分析void ip_protool_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content){struct ip_header *ip_protocol;u_int offset;u_char tos;u_int16_t checksum;ip_protocol = (struct ip_header *)packet_content;checksum = ntohs(ip_protocol->ip_checksum);tos = ip_protocol->ip_tos;offset = ntohs(ip_protocol->ip_off);printf("---------IP协议---------\n");printf("版本号:%d\n", ip_protocol->ip_version);printf("首部长度:%d %d\n", ip_protocol->ip_header_length, sizeof(ip_header));printf("服务质量:%d\n", tos);printf("总长度:%d\n", ntohs(ip_protocol->ip_length));printf("标识:%d\n", ntohs(ip_protocol->ip_id));printf("偏移:%d\n", (offset & 0x1fff) * 8);printf("生存时间:%d\n", ip_protocol->ip_ttl);printf("协议类型:%d\n", ip_protocol->ip_protocol);printf("检验和:%d\n", checksum);printf("源IP地址:%d.%d.%d.%d\n", ip_protocol->saddr.byte1, ip_protocol->saddr.byte2, ip_protocol->saddr.byte3, ip_protocol->saddr.byte4);printf("目的地址:%d.%d.%d.%d\n", ip_protocol->daddr.byte1, ip_protocol->daddr.byte2, ip_protocol->daddr.byte3, ip_protocol->daddr.byte4);switch (ip_protocol->ip_protocol){case 1: printf("上层协议是ICMP协议\n"); break;case 2: printf("上层协议是IGMP协议\n"); break;case 6:{printf("上层协议是TCP协议\n");tcp_protool_packet_callback(argument, packet_header, packet_content + sizeof(ip_header));}break;case 17:{printf("上层协议是UDP协议\n");udp_protool_packet_callback(argument, packet_header, packet_content + sizeof(ip_header));}break;default:break;}}//以太网协议分析void ethernet_protocol_packet_callback(u_char *argument, const struct pcap_pkthdr* packet_header, const u_char* packet_content){u_short ethernet_type;struct ether_header *ethernet_protocol;u_char *mac_string;static int packet_number = 1;printf("----------------------------------------------\n");printf("捕获第%d个网络数据包\n", packet_number);printf("该数据包的具体内容:\n");for (int i = 1; i <= packet_header->len; i++){printf("%02x(%d) ", packet_content[i - 1],i-1-42);if (i % 8 == 0)printf(" ");if (i % 16 == 0)printf("\n");}printf("\n");printf("数据包长度:%d\n", packet_header->len);printf("---------以太网协议---------\n");ethernet_protocol = (struct ether_header*)packet_content;//获得数据包内容ethernet_type = ntohs(ethernet_protocol->ether_type);//获得以太网类型printf("以太网类型:%04x\n", ethernet_type);mac_string = ethernet_protocol->ether_shost;printf("MAC帧源地址:%02x:%02x:%02x:%02x:%02x:%02x\n", *mac_string, *(mac_string + 1), *(mac_string + 2), *(mac_string + 3), *(mac_string + 4), *(mac_string + 5));mac_string = ethernet_protocol->ether_dhost;printf("MAC帧目的地址:%02x:%02x:%02x:%02x:%02x:%02x\n", *mac_string, *(mac_string + 1), *(mac_string + 2), *(mac_string + 3), *(mac_string + 4), *(mac_string + 5));switch (ethernet_type){case 0x0800:{printf("上层协议是IPv4协议\n");ip_protool_packet_callback(argument, packet_header, packet_content + sizeof(ether_header));}break;case 0x0806:printf("上层协议是ARP协议\n");break;case 0x8035:printf("上层协议是RARP协议\n");break;case 0x814C:printf("上层协议是简单网络管理协议SNMP\n");break;case 0x8137:printf("上层协议是因特网包交换(IPX:Internet Packet Exchange)\n");break;case 0x86DD:printf("上层协议是IPv6协议\n");break;case 0x880B:printf("上层协议是点对点协议(PPP:Point-to-Point Protocol)\n");break;default:break;}printf("----------------------------------------------\n");packet_number++;}int main(){pcap_if_t * allAdapters; //适配器列表pcap_if_t * adapter; //跑适配器列表pcap_t * adapterHandle; //适配器句柄//char error_content[PCAP_ERRBUF_SIZE]; //存储错误信息bpf_u_int32 net_mask = 0; //掩码地址bpf_u_int32 net_ip = 0; //网络地址char *net_interface; //网络接口struct bpf_program bpf_filter; //BPF过滤规则char bpf_filter_string[] = "port 53"; //过滤规则字符串,只分析IPv4的数据包char errorBuffer[PCAP_ERRBUF_SIZE]; //错误信息缓冲区if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &allAdapters, errorBuffer) == -1) //检索机器连接的所有网络适配器{fprintf(stderr, "Error in pcap_findalldevs_ex function: %s\n", errorBuffer);return -1;}if (allAdapters == NULL) //不存在任何适配器{printf("\nNo adapters found! Make sure WinPcap is installed.\n");return 0;}int crtAdapter = 0;for (adapter = allAdapters; adapter != NULL; adapter = adapter->next){ //遍历输入适配器信息(名称和描述信息)printf("\n%d.%s ", ++crtAdapter, adapter->name);printf("-- %s\n", adapter->description);}printf("\n");int adapterNumber;printf("Enter the adapter number between 1 and %d:", crtAdapter);//选择要捕获数据包的适配器scanf_s("%d", &adapterNumber);if (adapterNumber < 1 || adapterNumber > crtAdapter){printf("\nAdapter number out of range.\n");pcap_freealldevs(allAdapters);// 释放适配器列表return -1;}adapter = allAdapters;for (crtAdapter = 0; crtAdapter < adapterNumber - 1; crtAdapter++)adapter = adapter->next;adapterHandle = pcap_open(adapter->name, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errorBuffer);// 打开指定适配器if (adapterHandle == NULL)//指定适配器打开失败{fprintf(stderr, "\nUnable to open the adapter\n", adapter->name);pcap_freealldevs(allAdapters);// 释放适配器列表return -1;}char errbuf[2048];pcap_createsrcstr(NULL, 0, NULL, "80", NULL, errbuf);printf("\nCapture session started on adapter %s\n", adapter->name);pcap_freealldevs(allAdapters);//释放适配器列表pcap_compile(adapterHandle, &bpf_filter, bpf_filter_string, 0, net_ip); //编译过滤规则pcap_setfilter(adapterHandle, &bpf_filter);//设置过滤规则if (pcap_datalink(adapterHandle) != DLT_EN10MB) //DLT_EN10MB表示以太网return 0;pcap_loop(adapterHandle, 100, ethernet_protocol_packet_callback, NULL); //捕获65536个数据包进行分析pcap_close(adapterHandle);return 0;}