[关闭]
@xunuo 2017-08-05T15:02:32.000000Z 字数 15539 阅读 1296

TCP重组分析

网络数据包分析

1.解析一个pcap文件(标准)

1.1大体思路:

    用一个两个链表:tcpsessionhead和tcpnodehead;
第一个链表用来确定唯一的一次tcp会话,则需要六元组(源mac,目的mac,源ip,目的ip,源端口,目的端口)(其实实际上可以不用源mac和目的mac),以及一个指向下一个节点的指针next和指向对应会话具体内容的指针tcpnodehead;
    第二个链表存该会话的具体内容L:syn,seq,fin,len,以及该数据包传输的数据data[];
    只是单纯的把该数据包内的东西解析出来了而已;
    当检测到的数据包的syn==1&&是第一次出现syn=1时,就新建一个链表来存该tcp会话,如果检测到数据包的syn==0&&fin==0&&数据包除以太网头,ip头,tcp头外,数据长度不为0,则说明有数据传输,则将这个数据包加入tcpnode链表;如果fin==1,则说明数据传输结束,可以打印出数据。

1.2具体函数实现:

首先创建tcpsession链表函数create():
    将该数据包的六元祖存好,然后记住:一定要将next和tcpnodehead置空。不然会出问题,后面如果要用到他们的时候会无法读取内存。
插入函数insert():
    在插入之前要先查一遍它所在的tcp会话(其实文件里只有一个,貌似没必要。。);然后分一下几种情况:如果这个数据包是第一个插入的,那么直接进去就行了,如果不是,就要看它的seq的大小和tcpnode链表里面已经存在的节点的seq比较,然后插入合适的位置。

1.3完整代码:

  1. #include "pcap.h"
  2. const int MAXETHERLEN = 1500;
  4. struct ether_header
  5. {
  6.     u_int8_t ether_dhost[6];//目的mac;
  7.     u_int8_t ether_shost[6];//源mac;
  8.     u_int16_t ether_type;
  9. };
  10. /*ip地址*/
  11. typedef struct ip_address
  12. {
  13.     u_char byte1;
  14.     u_char byte2;
  15.     u_char byte3;
  16.     u_char byte4;
  17. } ip_address;
  18. /*IPv4协议头*/
  19. struct ip_header
  20. {
  21. #if defined(WORDS_BIENDIAN)
  22.     u_int8_t    ip_version : 4, ip_header_length : 4;
  23. #else
  24.     u_int8_t    ip_header_length : 4, ip_version : 4;
  25. #endif
  26.     u_int8_t    ip_tos;
  27.     u_int16_t   ip_length;
  28.     u_int16_t   ip_id;
  29.     u_int16_t   ip_off;
  30.     u_int8_t    ip_ttl;
  31.     u_int8_t    ip_protocol;
  32.     u_int16_t   ip_checksum;
  33.     ip_address  saddr;                /*源地址(Source address)*/
  34.     ip_address  daddr;                /*目的地址(Destination address)*/
  35. };
  36. //TCP协议头
  37. #define __LITTLE_ENDIAN_BITFIELD
  38. struct tcphdr
  39. {
  40.     u_int16_t   source_port;           /*源地址端口*/
  41.     u_int16_t   dest_port;             /*目的地址端口*/
  42.     u_int32_t   seq;                   /*序列号*/
  43.     u_int32_t   ack_seq;               /*确认序列号*/
  44.     u_int8_t    res1 : 3,              /*偏移*/
  45.                 doff : 1,              /*保留*/
  46.                 tcp_header_length : 4;
  47.     u_int8_t    fin : 1,               /*关闭连接标志*/
  48.                 syn : 1,               /*请求连接标志*/
  49.                 rst : 1,               /*重置连接标志*/
  50.                 psh : 1,               /*接收方尽快将数据放到应用层标志*/
  51.                 ack : 1,               /*确认序号标志*/
  52.                 urg : 1,               /*紧急指针标志*/
  53.                 ece : 1,               /*拥塞标志位*/
  54.                 cwr : 1;               /*拥塞标志位*/
  55.     u_int16_t   flag;
  56.     u_int16_t   window;                /*滑动窗口大小*/
  57.     u_int16_t   check;                 /*校验和*/
  58.     u_int16_t   urg_ptr;               /*紧急字段指针*/
  59. };
  60. /*两个链表*/
  61. /*list.1==tcplist*/
  62. typedef struct tcpnode
  63. {
  64.     int syn;
  65.     int fin;
  66.     unsigned long seq;
  67.     int len;
  68.     tcpnode *prev;
  69.     tcpnode *next;
  70.     unsigned char data[MAXETHERLEN];
  71. }node;
  72. /*list.2=tcpsession*/
  73. typedef struct tcpsession
  74. {
  75.     ip_address  saddr;
  76.     ip_address  daddr;
  77.     unsigned short sport;
  78.     unsigned short dport;
  79.     tcpsession* next;
  80.     tcpnode *tcplisthead;
  81. }tcpss;
  83. void createtcpsession(tcpss *tcpsessionhead);
  84. bool isempty(tcpss* tcpsessionhead);
  85. bool search(tcpss *head);
  86. int insert(tcpss* tcpsessionheadconst, u_int32_t &cnt, int &flag1);
  87. void print(FILE* file, tcpss* tcpsessionhead);
  89. struct pcap_pkthdr *header;
  90. const u_char *packet_content;
  91. struct ether_header *ethernet_protocol;
  92. struct ip_header *ip_protocol;
  93. struct tcphdr *tcp_protocol;
  95. int flag = 0;
  96. u_int32_t fin_seq = 0;
  97. u_int32_t syn_seq = 0;
  98. u_int32_t cnt = 0;
  99. int flag1;
  100. int len;
  102. int main(int argc, char* argv[])
  103. {
  104.     if (argc <= 1)
  105.     {
  106.         printf("argc<=1,break!\n");
  107.         return -1;
  108.     }
  109.     pcap_t *adapterHandle;//适配器句柄;
  110.     char errorBuffer[PCAP_ERRBUF_SIZE];//错误缓冲区;
  111.     char source[PCAP_BUF_SIZE];
  112.     if (pcap_createsrcstr(source, PCAP_SRC_FILE, NULL, NULL, argv[1], errorBuffer) != 0)
  113.     {
  114.         printf("数据源创建失败!\n");
  115.         return -1;
  116.     }
  117.     if ((adapterHandle = pcap_open(source, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errorBuffer)) == NULL)
  118.     {
  119.         printf("文件打开失败!\n");
  120.         return -1;
  121.     }
  123.     tcpsession* tcpsessionhead = (tcpsession*)malloc(sizeof(tcpsession));
  124.     tcpsessionhead->next = nullptr;
  125.     tcpsessionhead->tcplisthead = nullptr;
  127.     FILE* file;
  128.     if (fopen_s(&file, argv[2], "w+") != 0)
  129.     {
  130.         printf("打开文件失败!\n");
  131.     }
  132.     int pkt_number = 1;
  133.     int res;
  134.     while ((res = pcap_next_ex(adapterHandle, &header, &packet_content)) >= 0)
  135.     {
  136.         if (res == 0)/* 超时时间到 */
  137.             continue;
  138.         printf("这是第%d个数据包!\n", pkt_number++);
  139.         /*for (int i = 1; i <= header->len; i++)
  140.         {
  141.             printf("%02x ", packet_content[i - 1]);
  142.             if (i % 8 == 0)
  143.                 printf(" ");
  144.             if (i % 16 == 0)
  145.                 printf("\n");
  146.         }
  147.         printf("\n");*/
  148.         ethernet_protocol = (struct ether_header*)packet_content;
  149.         ip_protocol = (struct ip_header *)(packet_content + sizeof(ether_header));
  150.         tcp_protocol = (struct tcphdr *) (packet_content + sizeof(ether_header) + sizeof(ip_header));
  152.         int ip_len = ntohs(ip_protocol->ip_length);
  153.         printf("%d.%d.%d.%d\n", ip_protocol->saddr.byte1, ip_protocol->saddr.byte2, ip_protocol->saddr.byte3, ip_protocol->saddr.byte4);
  154.         printf("%d.%d.%d.%d\n", ip_protocol->daddr.byte1, ip_protocol->daddr.byte2, ip_protocol->daddr.byte3, ip_protocol->daddr.byte4);
  156.         len = ip_len - sizeof(ip_header) - tcp_protocol->tcp_header_length * 4;
  157.         printf("长度:%d %d\n", ip_len - sizeof(ip_header) - tcp_protocol->tcp_header_length * 4, sizeof(ip_header) + tcp_protocol->tcp_header_length * 4);
  158.         printf("%02x %02x\n", ntohs(tcp_protocol->source_port), ntohs(tcp_protocol->dest_port));
  159.         printf("%u %u\n", ntohl(tcp_protocol->seq), ntohl(tcp_protocol->ack_seq));
  160.         printf("syn and fin:%d %d\n", tcp_protocol->syn, tcp_protocol->fin);
  161.         if (tcp_protocol->syn == 1 && flag == 0)
  162.         {
  163.             createtcpsession(tcpsessionhead);
  164.             flag = 1;
  165.             syn_seq = ntohl(tcp_protocol->seq);
  166.         }
  167.         else if (tcp_protocol->syn == 0 && tcp_protocol->fin == 0 && len>0)
  168.         {
  169.             cnt = insert(tcpsessionhead, cnt, flag1);
  170.         }
  171.         else if (tcp_protocol->fin == 1)
  172.         {
  173.             flag = 0;
  174.             print(file, tcpsessionhead);
  175.             fclose(file);
  176.             break;
  177.         }
  178.         printf("\n");
  179.     }
  180.     if (res == -1)
  181.     {
  182.         printf("Error reading the packets: %s\n", pcap_geterr(adapterHandle));
  183.         return -1;
  184.     }
  185.     return 0;
  186. }
  188. void createtcpsession(tcpss *tcpsessionhead)
  189. {
  190.     tcpss *root = tcpsessionhead;
  191.     while (!isempty(root))
  192.     {
  193.         root = root->next;
  194.     }
  195.     root->saddr.byte1 = ip_protocol->saddr.byte1;
  196.     root->saddr.byte2 = ip_protocol->saddr.byte2;
  197.     root->saddr.byte3 = ip_protocol->saddr.byte3;
  198.     root->saddr.byte4 = ip_protocol->saddr.byte4;
  200.     root->daddr.byte1 = ip_protocol->daddr.byte1;
  201.     root->daddr.byte2 = ip_protocol->daddr.byte2;
  202.     root->daddr.byte3 = ip_protocol->daddr.byte3;
  203.     root->daddr.byte4 = ip_protocol->daddr.byte4;
  205.     root->sport = tcp_protocol->source_port;
  206.     root->dport = tcp_protocol->dest_port;
  207.     root->next = (tcpss*)malloc(sizeof(tcpss));
  208.     root->next->next = NULL;
  209.     root->next->tcplisthead = NULL;
  210. }
  212. bool isempty(tcpss* tcpsessionhead)
  213. {
  214.     if (tcpsessionhead->next == NULL)
  215.         return true;
  216.     else
  217.         return false;
  218. }
  220. bool search(tcpss *head)
  221. {
  222.     if ((head->saddr.byte1 == ip_protocol->saddr.byte1&&head->saddr.byte2 == ip_protocol->saddr.byte2&&head->saddr.byte3 == ip_protocol->saddr.byte3&&head->saddr.byte4 == ip_protocol->saddr.byte4
  223.         &&head->daddr.byte1 == ip_protocol->daddr.byte1&&head->daddr.byte2 == ip_protocol->daddr.byte2&&head->daddr.byte3 == ip_protocol->daddr.byte3&&head->daddr.byte4 == ip_protocol->daddr.byte4
  224.         &&head->sport == tcp_protocol->source_port&&head->dport == tcp_protocol->dest_port)
  225.         || (head->saddr.byte1 == ip_protocol->daddr.byte1&&head->saddr.byte2 == ip_protocol->daddr.byte2&&head->saddr.byte3 == ip_protocol->daddr.byte3&&head->saddr.byte4 == ip_protocol->daddr.byte4
  226.             &&head->daddr.byte1 == ip_protocol->saddr.byte1&&head->daddr.byte2 == ip_protocol->saddr.byte2&&head->daddr.byte3 == ip_protocol->saddr.byte3&&head->daddr.byte4 == ip_protocol->saddr.byte4
  227.             &&head->sport == tcp_protocol->dest_port&&head->dport == tcp_protocol->source_port)
  228.         )
  229.         return true;
  230.     else
  231.         return false;
  232. }
  233. int insert(tcpss* tcpsessionhead, u_int32_t &cnt, int &flag1)
  234. {
  235.     tcpss* tcpsshead = tcpsessionhead;
  236.     while (!search(tcpsshead))
  237.     {
  238.         tcpsshead = tcpsshead->next;
  239.     }
  240.     if (tcpsshead->tcplisthead == NULL)
  241.     {
  242.         cnt += len;
  243.         tcpnode* tcpnodehead = (tcpnode*)malloc(sizeof(tcpnode));
  244.         tcpsshead->tcplisthead = tcpnodehead;
  245.         tcpnodehead->prev = tcpsshead->tcplisthead;
  246.         tcpnodehead->syn = tcp_protocol->syn;
  247.         tcpnodehead->fin = tcp_protocol->fin;
  248.         tcpnodehead->seq = ntohl(tcp_protocol->seq);
  249.         tcpnodehead->len = len;
  250.         tcpnodehead->next = NULL;
  251.         for (int i = 0; i < tcpnodehead->len; i++)
  252.             tcpnodehead->data[i] = packet_content[i + sizeof(ether_header)+sizeof(ip_header) + tcp_protocol->tcp_header_length * 4];
  253.     }
  254.     else
  255.     {
  256.         tcpnode* tcpnodehead = tcpsshead->tcplisthead;
  257.         tcpnode* tcpnewnode = (tcpnode*)malloc(sizeof(tcpnode));
  258.         tcpnewnode->syn = tcp_protocol->syn;
  259.         tcpnewnode->fin = tcp_protocol->fin;
  260.         tcpnewnode->seq = ntohl(tcp_protocol->seq);
  261.         tcpnewnode->len = len;
  262.         tcpnewnode->next = NULL;
  263.         for (int i = 0; i < tcpnewnode->len; i++)
  264.         {
  265.             tcpnewnode->data[i] = packet_content[i + sizeof(ether_header) + sizeof(ip_header) + tcp_protocol->tcp_header_length * 4];
  266.         }
  267.         if (tcp_protocol->fin == 1)
  268.             flag1 = 1;
  269.         if (tcpnodehead->seq > tcpnewnode->seq)
  270.         {
  271.             cnt += len;
  272.             tcpsshead->tcplisthead = tcpnewnode;
  273.             tcpnewnode->prev = tcpsshead->tcplisthead;
  274.             tcpnewnode->next = tcpnodehead;
  275.             tcpnodehead->prev = tcpnewnode;
  276.         }
  277.         else
  278.         {
  279.             cnt += len;
  280.             while (tcpnodehead->seq < tcpnewnode->seq)
  281.             {
  282.                 if (&tcpnodehead->next == NULL||tcpnodehead->next->seq > tcpnewnode->seq)
  283.                 {
  284.                     tcpnewnode->prev = tcpnodehead;
  285.                     tcpnewnode->next = tcpnodehead->next;
  286.                     tcpnodehead->next = tcpnewnode;
  287.                     tcpnodehead->next->prev = tcpnewnode;
  288.                     break;
  289.                 }
  290.                 else
  291.                     tcpnodehead = tcpnodehead->next;
  292.             }
  293.         }
  294.     }
  295.     return cnt;
  296. }
  297. void print(FILE* file, tcpss* tcpsessionhead)
  298. {
  299.     tcpss* tcpsshead = tcpsessionhead;
  300.     while (!search(tcpsshead))
  301.     {
  302.         tcpsshead = tcpsshead->next;
  303.     }
  304.     tcpnode* tcpnodehead=tcpsshead->tcplisthead;
  305.     while (tcpnodehead->next != NULL)
  306.     {
  307.         for (int i = 1; i < tcpnodehead->len; i++)
  308.         {
  309.             printf("%c", tcpnodehead->data[i - 1]);
  310.             fprintf(file, "%c", tcpnodehead->data[i - 1]);
  311.         }
  312.         //if (tcpnodehead->next == NULL)
  313.             //break;
  314.         //else
  315.             tcpnodehead = tcpnodehead->next;
  317.     }
  318. }
  1. #include "pcap.h"
  2. const int MAXETHERLEN = 1500;
  4. struct ether_header
  5. {
  6.     u_int8_t ether_dhost[6];//目的mac;
  7.     u_int8_t ether_shost[6];//源mac;
  8.     u_int16_t ether_type;
  9. };
  10. /*ip地址*/
  11. typedef struct ip_address
  12. {
  13.     u_char byte1;
  14.     u_char byte2;
  15.     u_char byte3;
  16.     u_char byte4;
  17. } ip_address;
  18. /*IPv4协议头*/
  19. struct ip_header
  20. {
  21. #if defined(WORDS_BIENDIAN)
  22.     u_int8_t    ip_version : 4, ip_header_length : 4;
  23. #else
  24.     u_int8_t    ip_header_length : 4, ip_version : 4;
  25. #endif
  26.     u_int8_t    ip_tos;
  27.     u_int16_t   ip_length;
  28.     u_int16_t   ip_id;
  29.     u_int16_t   ip_off;
  30.     u_int8_t    ip_ttl;
  31.     u_int8_t    ip_protocol;
  32.     u_int16_t   ip_checksum;
  33.     ip_address  saddr;                /*源地址(Source address)*/
  34.     ip_address  daddr;                /*目的地址(Destination address)*/
  35. };
  36. //TCP协议头
  37. #define __LITTLE_ENDIAN_BITFIELD
  38. struct tcphdr
  39. {
  40.     u_int16_t   source_port;           /*源地址端口*/
  41.     u_int16_t   dest_port;             /*目的地址端口*/
  42.     u_int32_t   seq;                   /*序列号*/
  43.     u_int32_t   ack_seq;               /*确认序列号*/
  44.     u_int8_t    res1 : 3,              /*偏移*/
  45.                 doff : 1,              /*保留*/
  46.                 tcp_header_length : 4;
  47.     u_int8_t    fin : 1,               /*关闭连接标志*/
  48.                 syn : 1,               /*请求连接标志*/
  49.                 rst : 1,               /*重置连接标志*/
  50.                 psh : 1,               /*接收方尽快将数据放到应用层标志*/
  51.                 ack : 1,               /*确认序号标志*/
  52.                 urg : 1,               /*紧急指针标志*/
  53.                 ece : 1,               /*拥塞标志位*/
  54.                 cwr : 1;               /*拥塞标志位*/
  55.     u_int16_t   flag;
  56.     u_int16_t   window;                /*滑动窗口大小*/
  57.     u_int16_t   check;                 /*校验和*/
  58.     u_int16_t   urg_ptr;               /*紧急字段指针*/
  59. };
  60. /*两个链表*/
  61. /*list.1==tcplist*/
  62. typedef struct tcpnode
  63. {
  64.     int syn;
  65.     int fin;
  66.     unsigned long seq;
  67.     int len;
  68.     tcpnode *prev;
  69.     tcpnode *next;
  70.     unsigned char data[MAXETHERLEN];
  71. }node;
  72. /*list.2=tcpsession*/
  73. typedef struct tcpsession
  74. {
  75.     ip_address  saddr;
  76.     ip_address  daddr;
  77.     unsigned short sport;
  78.     unsigned short dport;
  79.     tcpsession* next;
  80.     tcpnode *tcplisthead;
  81. }tcpss;
  83. tcpsession* createtcpsession(tcpss *tcpsessionhead);
  84. bool isempty(tcpss* tcpsessionhead);
  85. bool search(tcpss *head);
  86. int insert(tcpss* tcpsessionheadconst, u_int32_t &cnt, int &flag1);
  87. void print(FILE* file, tcpss* tcpsessionhead);
  89. struct pcap_pkthdr *header;
  90. const u_char *packet_content;
  91. struct ether_header *ethernet_protocol;
  92. struct ip_header *ip_protocol;
  93. struct tcphdr *tcp_protocol;
  94. tcpsession* tcpsessionhead = (tcpsession*)malloc(sizeof(tcpsession));
  95. tcpsession* tcpsshead = tcpsessionhead;
  97. int flag = 0;
  98. u_int32_t fin_seq = 0;
  99. u_int32_t syn_seq = 0;
  100. u_int32_t cnt = 0;
  101. int flag1;
  102. int len;
  105. int main(int argc, char* argv[])
  106. {
  107.     if (argc <= 1)
  108.     {
  109.         printf("argc<=1,break!\n");
  110.         return -1;
  111.     }
  112.     pcap_t *adapterHandle;//适配器句柄;
  113.     char errorBuffer[PCAP_ERRBUF_SIZE];//错误缓冲区;
  114.     char source[PCAP_BUF_SIZE];
  115.     if (pcap_createsrcstr(source, PCAP_SRC_FILE, NULL, NULL, argv[1], errorBuffer) != 0)
  116.     {
  117.         printf("数据源创建失败!\n");
  118.         return -1;
  119.     }
  120.     if ((adapterHandle = pcap_open(source, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errorBuffer)) == NULL)
  121.     {
  122.         printf("文件打开失败!\n");
  123.         return -1;
  124.     }
  126.     tcpsessionhead->next = NULL;;
  127.     tcpsshead->next = NULL;
  128.     tcpsessionhead->tcplisthead = NULL;
  129.     tcpsshead->tcplisthead = NULL;
  131.     FILE* file1,*file2;
  132.     if (fopen_s(&file1, argv[2], "w+") != 0)
  133.     {
  134.         printf("打开文件失败!\n");
  135.     }
  136.     if (fopen_s(&file2, argv[3], "w+") != 0)
  137.     {
  138.         printf("打开文件失败!\n");
  139.     }
  140.     int pkt_number = 1;
  141.     int res;
  142.     int flag3 = 0;
  144.     while ((res = pcap_next_ex(adapterHandle, &header, &packet_content)) >= 0)
  145.     {
  146.         if (res == 0)/* 超时时间到 */
  147.             continue;
  148.         printf("这是第%d个数据包!\n", pkt_number++);
  149.         /*for (int i = 1; i <= header->len; i++)
  150.         {
  151.             printf("%02x ", packet_content[i - 1]);
  152.             if (i % 8 == 0)
  153.                 printf(" ");
  154.             if (i % 16 == 0)
  155.                 printf("\n");
  156.         }
  157.         printf("\n");*/
  158.         ethernet_protocol = (struct ether_header*)packet_content;
  159.         ip_protocol = (struct ip_header *)(packet_content + sizeof(ether_header));
  160.         tcp_protocol = (struct tcphdr *) (packet_content + sizeof(ether_header) + sizeof(ip_header));
  162.         int ip_len = ntohs(ip_protocol->ip_length);
  163.         printf("%d.%d.%d.%d\n", ip_protocol->saddr.byte1, ip_protocol->saddr.byte2, ip_protocol->saddr.byte3, ip_protocol->saddr.byte4);
  164.         printf("%d.%d.%d.%d\n", ip_protocol->daddr.byte1, ip_protocol->daddr.byte2, ip_protocol->daddr.byte3, ip_protocol->daddr.byte4);
  166.         len = ip_len - sizeof(ip_header) - tcp_protocol->tcp_header_length * 4;
  167.         printf("长度:%d %d\n", ip_len - sizeof(ip_header) - tcp_protocol->tcp_header_length * 4, sizeof(ip_header) + tcp_protocol->tcp_header_length * 4);
  168.         printf("%02x %02x\n", ntohs(tcp_protocol->source_port), ntohs(tcp_protocol->dest_port));
  169.         printf("%u %u\n", ntohl(tcp_protocol->seq), ntohl(tcp_protocol->ack_seq));
  170.         printf("syn and fin:%d %d\n", tcp_protocol->syn, tcp_protocol->fin);
  171.         if (tcp_protocol->syn == 1)
  172.         {
  173.             tcpsshead=createtcpsession(tcpsshead);
  174.         }
  175.         else if (tcp_protocol->syn == 0 && tcp_protocol->fin == 0 && len>0)
  176.         {
  177.             cnt = insert(tcpsessionhead, cnt, flag1);
  178.         }
  179.         else if (tcp_protocol->fin == 1)
  180.         {
  181.             if (flag3 == 0)
  182.             {
  183.                 print(file1,tcpsessionhead);
  184.                 ///fclose(file1);
  185.                 flag3 = 1;
  186.             }
  187.             else
  188.             {
  189.                 print(file2, tcpsessionhead);
  190.                 //fclose(file2);
  191.             }
  193.         }
  194.         printf("\n");
  195.     }
  196.     if (res == -1)
  197.     {
  198.         printf("Error reading the packets: %s\n", pcap_geterr(adapterHandle));
  199.         return -1;
  200.     }
  201.     return 0;
  202. }
  204. tcpsession* createtcpsession(tcpss *tcpsessionhead)
  205. {
  206.     tcpss *root = tcpsessionhead;
  207.     while (!isempty(root))
  208.     {
  209.         root = root->next;
  210.     }
  211.     root->saddr.byte1 = ip_protocol->saddr.byte1;
  212.     root->saddr.byte2 = ip_protocol->saddr.byte2;
  213.     root->saddr.byte3 = ip_protocol->saddr.byte3;
  214.     root->saddr.byte4 = ip_protocol->saddr.byte4;
  216.     root->daddr.byte1 = ip_protocol->daddr.byte1;
  217.     root->daddr.byte2 = ip_protocol->daddr.byte2;
  218.     root->daddr.byte3 = ip_protocol->daddr.byte3;
  219.     root->daddr.byte4 = ip_protocol->daddr.byte4;
  221.     root->sport = tcp_protocol->source_port;
  222.     root->dport = tcp_protocol->dest_port;
  223.     root->next = (tcpss*)malloc(sizeof(tcpss));
  224.     root->next->next = NULL;
  225.     root->next->tcplisthead = NULL;
  226.     return root;
  227. }
  229. bool isempty(tcpss* tcpsessionhead)
  230. {
  231.     if (tcpsessionhead->next == NULL)
  232.         return true;
  233.     else
  234.         return false;
  235. }
  237. bool search(tcpss *head)
  238. {
  239.     if ((head->saddr.byte1 == ip_protocol->saddr.byte1&&head->saddr.byte2 == ip_protocol->saddr.byte2&&head->saddr.byte3 == ip_protocol->saddr.byte3&&head->saddr.byte4 == ip_protocol->saddr.byte4
  240.         &&head->daddr.byte1 == ip_protocol->daddr.byte1&&head->daddr.byte2 == ip_protocol->daddr.byte2&&head->daddr.byte3 == ip_protocol->daddr.byte3&&head->daddr.byte4 == ip_protocol->daddr.byte4
  241.         &&head->sport == tcp_protocol->source_port&&head->dport == tcp_protocol->dest_port))
  242.         return true;
  243.     else
  244.         return false;
  245. }
  246. int insert(tcpss* tcpsessionhead, u_int32_t &cnt, int &flag1)
  247. {
  248.     tcpss* tcpsshead = tcpsessionhead;
  249.     while (!search(tcpsshead))
  250.     {
  251.         tcpsshead = tcpsshead->next;
  252.     }
  253.     if (tcpsshead->tcplisthead == NULL)
  254.     {
  255.         cnt += len;
  256.         tcpnode* tcpnodehead = (tcpnode*)malloc(sizeof(tcpnode));
  257.         tcpsshead->tcplisthead = tcpnodehead;
  258.         tcpnodehead->prev = tcpsshead->tcplisthead;
  259.         tcpnodehead->syn = tcp_protocol->syn;
  260.         tcpnodehead->fin = tcp_protocol->fin;
  261.         tcpnodehead->seq = ntohl(tcp_protocol->seq);
  262.         tcpnodehead->len = len;
  263.         tcpnodehead->next = NULL;
  264.         for (int i = 0; i < tcpnodehead->len; i++)
  265.             tcpnodehead->data[i] = packet_content[i + sizeof(ether_header)+sizeof(ip_header) + tcp_protocol->tcp_header_length * 4];
  266.     }
  267.     else
  268.     {
  269.         tcpnode* tcpnodehead = tcpsshead->tcplisthead;
  270.         tcpnode* tcpnewnode = (tcpnode*)malloc(sizeof(tcpnode));
  271.         tcpnewnode->syn = tcp_protocol->syn;
  272.         tcpnewnode->fin = tcp_protocol->fin;
  273.         tcpnewnode->seq = ntohl(tcp_protocol->seq);
  274.         tcpnewnode->len = len;
  275.         tcpnewnode->next = NULL;
  276.         for (int i = 0; i < tcpnewnode->len; i++)
  277.         {
  278.             tcpnewnode->data[i] = packet_content[i + sizeof(ether_header) + sizeof(ip_header) + tcp_protocol->tcp_header_length * 4];
  279.         }
  280.         if (tcp_protocol->fin == 1)
  281.             flag1 = 1;
  282.         if (tcpnodehead->seq > tcpnewnode->seq)
  283.         {
  284.             cnt += len;
  285.             tcpsshead->tcplisthead = tcpnewnode;
  286.             tcpnewnode->prev = tcpsshead->tcplisthead;
  287.             tcpnewnode->next = tcpnodehead;
  288.             tcpnodehead->prev = tcpnewnode;
  289.         }
  290.         else if(tcpnodehead->seq < tcpnewnode->seq)
  291.         {
  292.             cnt += len;
  293.             while (tcpnodehead->seq < tcpnewnode->seq)
  294.             {
  295.                 if (tcpnodehead->next == NULL||tcpnodehead->next->seq > tcpnewnode->seq)
  296.                 {
  297.                     tcpnewnode->prev = tcpnodehead;
  298.                     tcpnewnode->next = tcpnodehead->next;
  299.                     tcpnodehead->next = tcpnewnode;
  300.                     tcpnodehead->next->prev = tcpnewnode;
  301.                     break;
  302.                 }
  303.                 else
  304.                     tcpnodehead = tcpnodehead->next;
  305.             }
  306.         }
  307.     }
  308.     return cnt;
  309. }
  310. void print(FILE* file, tcpss* tcpsessionhead)
  311. {
  312.     tcpss* tcpsshead = tcpsessionhead;
  313.     while (!search(tcpsshead))
  314.     {
  315.         tcpsshead = tcpsshead->next;
  316.     }
  317.     tcpnode* tcpnodehead=tcpsshead->tcplisthead;
  318.     while (tcpnodehead->next != NULL)
  319.     {
  320.         for (int i = 1; i < tcpnodehead->len; i++)
  321.         {
  322.             printf("%c", tcpnodehead->data[i - 1]);
  323.             fprintf(file, "%c", tcpnodehead->data[i - 1]);
  324.         }
  325.         //if (tcpnodehead->next == NULL)
  326.             //break;
  327.         //else
  328.             tcpnodehead = tcpnodehead->next;
  329.     }
  330. }
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注