[关闭]
@xunuo 2017-08-05T15:02:32.000000Z 字数 15539 阅读 1302

TCP重组分析


网络数据包分析


1.解析一个pcap文件(标准)

1.1大体思路:

    用一个两个链表:tcpsessionhead和tcpnodehead;
第一个链表用来确定唯一的一次tcp会话,则需要六元组(源mac,目的mac,源ip,目的ip,源端口,目的端口)(其实实际上可以不用源mac和目的mac),以及一个指向下一个节点的指针next和指向对应会话具体内容的指针tcpnodehead;
    第二个链表存该会话的具体内容L:syn,seq,fin,len,以及该数据包传输的数据data[];
    只是单纯的把该数据包内的东西解析出来了而已;
    当检测到的数据包的syn==1&&是第一次出现syn=1时,就新建一个链表来存该tcp会话,如果检测到数据包的syn==0&&fin==0&&数据包除以太网头,ip头,tcp头外,数据长度不为0,则说明有数据传输,则将这个数据包加入tcpnode链表;如果fin==1,则说明数据传输结束,可以打印出数据。

1.2具体函数实现:

首先创建tcpsession链表函数create():
    将该数据包的六元祖存好,然后记住:一定要将next和tcpnodehead置空。不然会出问题,后面如果要用到他们的时候会无法读取内存。
插入函数insert():
    在插入之前要先查一遍它所在的tcp会话(其实文件里只有一个,貌似没必要。。);然后分一下几种情况:如果这个数据包是第一个插入的,那么直接进去就行了,如果不是,就要看它的seq的大小和tcpnode链表里面已经存在的节点的seq比较,然后插入合适的位置。

1.3完整代码:

  1. #include "pcap.h"
  2. const int MAXETHERLEN = 1500;
  3. struct ether_header
  4. {
  5. u_int8_t ether_dhost[6];//目的mac;
  6. u_int8_t ether_shost[6];//源mac;
  7. u_int16_t ether_type;
  8. };
  9. /*ip地址*/
  10. typedef struct ip_address
  11. {
  12. u_char byte1;
  13. u_char byte2;
  14. u_char byte3;
  15. u_char byte4;
  16. } ip_address;
  17. /*IPv4协议头*/
  18. struct ip_header
  19. {
  20. #if defined(WORDS_BIENDIAN)
  21. u_int8_t ip_version : 4, ip_header_length : 4;
  22. #else
  23. u_int8_t ip_header_length : 4, ip_version : 4;
  24. #endif
  25. u_int8_t ip_tos;
  26. u_int16_t ip_length;
  27. u_int16_t ip_id;
  28. u_int16_t ip_off;
  29. u_int8_t ip_ttl;
  30. u_int8_t ip_protocol;
  31. u_int16_t ip_checksum;
  32. ip_address saddr; /*源地址(Source address)*/
  33. ip_address daddr; /*目的地址(Destination address)*/
  34. };
  35. //TCP协议头
  36. #define __LITTLE_ENDIAN_BITFIELD
  37. struct tcphdr
  38. {
  39. u_int16_t source_port; /*源地址端口*/
  40. u_int16_t dest_port; /*目的地址端口*/
  41. u_int32_t seq; /*序列号*/
  42. u_int32_t ack_seq; /*确认序列号*/
  43. u_int8_t res1 : 3, /*偏移*/
  44. doff : 1, /*保留*/
  45. tcp_header_length : 4;
  46. u_int8_t fin : 1, /*关闭连接标志*/
  47. syn : 1, /*请求连接标志*/
  48. rst : 1, /*重置连接标志*/
  49. psh : 1, /*接收方尽快将数据放到应用层标志*/
  50. ack : 1, /*确认序号标志*/
  51. urg : 1, /*紧急指针标志*/
  52. ece : 1, /*拥塞标志位*/
  53. cwr : 1; /*拥塞标志位*/
  54. u_int16_t flag;
  55. u_int16_t window; /*滑动窗口大小*/
  56. u_int16_t check; /*校验和*/
  57. u_int16_t urg_ptr; /*紧急字段指针*/
  58. };
  59. /*两个链表*/
  60. /*list.1==tcplist*/
  61. typedef struct tcpnode
  62. {
  63. int syn;
  64. int fin;
  65. unsigned long seq;
  66. int len;
  67. tcpnode *prev;
  68. tcpnode *next;
  69. unsigned char data[MAXETHERLEN];
  70. }node;
  71. /*list.2=tcpsession*/
  72. typedef struct tcpsession
  73. {
  74. ip_address saddr;
  75. ip_address daddr;
  76. unsigned short sport;
  77. unsigned short dport;
  78. tcpsession* next;
  79. tcpnode *tcplisthead;
  80. }tcpss;
  81. void createtcpsession(tcpss *tcpsessionhead);
  82. bool isempty(tcpss* tcpsessionhead);
  83. bool search(tcpss *head);
  84. int insert(tcpss* tcpsessionheadconst, u_int32_t &cnt, int &flag1);
  85. void print(FILE* file, tcpss* tcpsessionhead);
  86. struct pcap_pkthdr *header;
  87. const u_char *packet_content;
  88. struct ether_header *ethernet_protocol;
  89. struct ip_header *ip_protocol;
  90. struct tcphdr *tcp_protocol;
  91. int flag = 0;
  92. u_int32_t fin_seq = 0;
  93. u_int32_t syn_seq = 0;
  94. u_int32_t cnt = 0;
  95. int flag1;
  96. int len;
  97. int main(int argc, char* argv[])
  98. {
  99. if (argc <= 1)
  100. {
  101. printf("argc<=1,break!\n");
  102. return -1;
  103. }
  104. pcap_t *adapterHandle;//适配器句柄;
  105. char errorBuffer[PCAP_ERRBUF_SIZE];//错误缓冲区;
  106. char source[PCAP_BUF_SIZE];
  107. if (pcap_createsrcstr(source, PCAP_SRC_FILE, NULL, NULL, argv[1], errorBuffer) != 0)
  108. {
  109. printf("数据源创建失败!\n");
  110. return -1;
  111. }
  112. if ((adapterHandle = pcap_open(source, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errorBuffer)) == NULL)
  113. {
  114. printf("文件打开失败!\n");
  115. return -1;
  116. }
  117. tcpsession* tcpsessionhead = (tcpsession*)malloc(sizeof(tcpsession));
  118. tcpsessionhead->next = nullptr;
  119. tcpsessionhead->tcplisthead = nullptr;
  120. FILE* file;
  121. if (fopen_s(&file, argv[2], "w+") != 0)
  122. {
  123. printf("打开文件失败!\n");
  124. }
  125. int pkt_number = 1;
  126. int res;
  127. while ((res = pcap_next_ex(adapterHandle, &header, &packet_content)) >= 0)
  128. {
  129. if (res == 0)/* 超时时间到 */
  130. continue;
  131. printf("这是第%d个数据包!\n", pkt_number++);
  132. /*for (int i = 1; i <= header->len; i++)
  133. {
  134. printf("%02x ", packet_content[i - 1]);
  135. if (i % 8 == 0)
  136. printf(" ");
  137. if (i % 16 == 0)
  138. printf("\n");
  139. }
  140. printf("\n");*/
  141. ethernet_protocol = (struct ether_header*)packet_content;
  142. ip_protocol = (struct ip_header *)(packet_content + sizeof(ether_header));
  143. tcp_protocol = (struct tcphdr *) (packet_content + sizeof(ether_header) + sizeof(ip_header));
  144. int ip_len = ntohs(ip_protocol->ip_length);
  145. printf("%d.%d.%d.%d\n", ip_protocol->saddr.byte1, ip_protocol->saddr.byte2, ip_protocol->saddr.byte3, ip_protocol->saddr.byte4);
  146. printf("%d.%d.%d.%d\n", ip_protocol->daddr.byte1, ip_protocol->daddr.byte2, ip_protocol->daddr.byte3, ip_protocol->daddr.byte4);
  147. len = ip_len - sizeof(ip_header) - tcp_protocol->tcp_header_length * 4;
  148. printf("长度:%d %d\n", ip_len - sizeof(ip_header) - tcp_protocol->tcp_header_length * 4, sizeof(ip_header) + tcp_protocol->tcp_header_length * 4);
  149. printf("%02x %02x\n", ntohs(tcp_protocol->source_port), ntohs(tcp_protocol->dest_port));
  150. printf("%u %u\n", ntohl(tcp_protocol->seq), ntohl(tcp_protocol->ack_seq));
  151. printf("syn and fin:%d %d\n", tcp_protocol->syn, tcp_protocol->fin);
  152. if (tcp_protocol->syn == 1 && flag == 0)
  153. {
  154. createtcpsession(tcpsessionhead);
  155. flag = 1;
  156. syn_seq = ntohl(tcp_protocol->seq);
  157. }
  158. else if (tcp_protocol->syn == 0 && tcp_protocol->fin == 0 && len>0)
  159. {
  160. cnt = insert(tcpsessionhead, cnt, flag1);
  161. }
  162. else if (tcp_protocol->fin == 1)
  163. {
  164. flag = 0;
  165. print(file, tcpsessionhead);
  166. fclose(file);
  167. break;
  168. }
  169. printf("\n");
  170. }
  171. if (res == -1)
  172. {
  173. printf("Error reading the packets: %s\n", pcap_geterr(adapterHandle));
  174. return -1;
  175. }
  176. return 0;
  177. }
  178. void createtcpsession(tcpss *tcpsessionhead)
  179. {
  180. tcpss *root = tcpsessionhead;
  181. while (!isempty(root))
  182. {
  183. root = root->next;
  184. }
  185. root->saddr.byte1 = ip_protocol->saddr.byte1;
  186. root->saddr.byte2 = ip_protocol->saddr.byte2;
  187. root->saddr.byte3 = ip_protocol->saddr.byte3;
  188. root->saddr.byte4 = ip_protocol->saddr.byte4;
  189. root->daddr.byte1 = ip_protocol->daddr.byte1;
  190. root->daddr.byte2 = ip_protocol->daddr.byte2;
  191. root->daddr.byte3 = ip_protocol->daddr.byte3;
  192. root->daddr.byte4 = ip_protocol->daddr.byte4;
  193. root->sport = tcp_protocol->source_port;
  194. root->dport = tcp_protocol->dest_port;
  195. root->next = (tcpss*)malloc(sizeof(tcpss));
  196. root->next->next = NULL;
  197. root->next->tcplisthead = NULL;
  198. }
  199. bool isempty(tcpss* tcpsessionhead)
  200. {
  201. if (tcpsessionhead->next == NULL)
  202. return true;
  203. else
  204. return false;
  205. }
  206. bool search(tcpss *head)
  207. {
  208. if ((head->saddr.byte1 == ip_protocol->saddr.byte1&&head->saddr.byte2 == ip_protocol->saddr.byte2&&head->saddr.byte3 == ip_protocol->saddr.byte3&&head->saddr.byte4 == ip_protocol->saddr.byte4
  209. &&head->daddr.byte1 == ip_protocol->daddr.byte1&&head->daddr.byte2 == ip_protocol->daddr.byte2&&head->daddr.byte3 == ip_protocol->daddr.byte3&&head->daddr.byte4 == ip_protocol->daddr.byte4
  210. &&head->sport == tcp_protocol->source_port&&head->dport == tcp_protocol->dest_port)
  211. || (head->saddr.byte1 == ip_protocol->daddr.byte1&&head->saddr.byte2 == ip_protocol->daddr.byte2&&head->saddr.byte3 == ip_protocol->daddr.byte3&&head->saddr.byte4 == ip_protocol->daddr.byte4
  212. &&head->daddr.byte1 == ip_protocol->saddr.byte1&&head->daddr.byte2 == ip_protocol->saddr.byte2&&head->daddr.byte3 == ip_protocol->saddr.byte3&&head->daddr.byte4 == ip_protocol->saddr.byte4
  213. &&head->sport == tcp_protocol->dest_port&&head->dport == tcp_protocol->source_port)
  214. )
  215. return true;
  216. else
  217. return false;
  218. }
  219. int insert(tcpss* tcpsessionhead, u_int32_t &cnt, int &flag1)
  220. {
  221. tcpss* tcpsshead = tcpsessionhead;
  222. while (!search(tcpsshead))
  223. {
  224. tcpsshead = tcpsshead->next;
  225. }
  226. if (tcpsshead->tcplisthead == NULL)
  227. {
  228. cnt += len;
  229. tcpnode* tcpnodehead = (tcpnode*)malloc(sizeof(tcpnode));
  230. tcpsshead->tcplisthead = tcpnodehead;
  231. tcpnodehead->prev = tcpsshead->tcplisthead;
  232. tcpnodehead->syn = tcp_protocol->syn;
  233. tcpnodehead->fin = tcp_protocol->fin;
  234. tcpnodehead->seq = ntohl(tcp_protocol->seq);
  235. tcpnodehead->len = len;
  236. tcpnodehead->next = NULL;
  237. for (int i = 0; i < tcpnodehead->len; i++)
  238. tcpnodehead->data[i] = packet_content[i + sizeof(ether_header)+sizeof(ip_header) + tcp_protocol->tcp_header_length * 4];
  239. }
  240. else
  241. {
  242. tcpnode* tcpnodehead = tcpsshead->tcplisthead;
  243. tcpnode* tcpnewnode = (tcpnode*)malloc(sizeof(tcpnode));
  244. tcpnewnode->syn = tcp_protocol->syn;
  245. tcpnewnode->fin = tcp_protocol->fin;
  246. tcpnewnode->seq = ntohl(tcp_protocol->seq);
  247. tcpnewnode->len = len;
  248. tcpnewnode->next = NULL;
  249. for (int i = 0; i < tcpnewnode->len; i++)
  250. {
  251. tcpnewnode->data[i] = packet_content[i + sizeof(ether_header) + sizeof(ip_header) + tcp_protocol->tcp_header_length * 4];
  252. }
  253. if (tcp_protocol->fin == 1)
  254. flag1 = 1;
  255. if (tcpnodehead->seq > tcpnewnode->seq)
  256. {
  257. cnt += len;
  258. tcpsshead->tcplisthead = tcpnewnode;
  259. tcpnewnode->prev = tcpsshead->tcplisthead;
  260. tcpnewnode->next = tcpnodehead;
  261. tcpnodehead->prev = tcpnewnode;
  262. }
  263. else
  264. {
  265. cnt += len;
  266. while (tcpnodehead->seq < tcpnewnode->seq)
  267. {
  268. if (&tcpnodehead->next == NULL||tcpnodehead->next->seq > tcpnewnode->seq)
  269. {
  270. tcpnewnode->prev = tcpnodehead;
  271. tcpnewnode->next = tcpnodehead->next;
  272. tcpnodehead->next = tcpnewnode;
  273. tcpnodehead->next->prev = tcpnewnode;
  274. break;
  275. }
  276. else
  277. tcpnodehead = tcpnodehead->next;
  278. }
  279. }
  280. }
  281. return cnt;
  282. }
  283. void print(FILE* file, tcpss* tcpsessionhead)
  284. {
  285. tcpss* tcpsshead = tcpsessionhead;
  286. while (!search(tcpsshead))
  287. {
  288. tcpsshead = tcpsshead->next;
  289. }
  290. tcpnode* tcpnodehead=tcpsshead->tcplisthead;
  291. while (tcpnodehead->next != NULL)
  292. {
  293. for (int i = 1; i < tcpnodehead->len; i++)
  294. {
  295. printf("%c", tcpnodehead->data[i - 1]);
  296. fprintf(file, "%c", tcpnodehead->data[i - 1]);
  297. }
  298. //if (tcpnodehead->next == NULL)
  299. //break;
  300. //else
  301. tcpnodehead = tcpnodehead->next;
  302. }
  303. }
  1. #include "pcap.h"
  2. const int MAXETHERLEN = 1500;
  3. struct ether_header
  4. {
  5. u_int8_t ether_dhost[6];//目的mac;
  6. u_int8_t ether_shost[6];//源mac;
  7. u_int16_t ether_type;
  8. };
  9. /*ip地址*/
  10. typedef struct ip_address
  11. {
  12. u_char byte1;
  13. u_char byte2;
  14. u_char byte3;
  15. u_char byte4;
  16. } ip_address;
  17. /*IPv4协议头*/
  18. struct ip_header
  19. {
  20. #if defined(WORDS_BIENDIAN)
  21. u_int8_t ip_version : 4, ip_header_length : 4;
  22. #else
  23. u_int8_t ip_header_length : 4, ip_version : 4;
  24. #endif
  25. u_int8_t ip_tos;
  26. u_int16_t ip_length;
  27. u_int16_t ip_id;
  28. u_int16_t ip_off;
  29. u_int8_t ip_ttl;
  30. u_int8_t ip_protocol;
  31. u_int16_t ip_checksum;
  32. ip_address saddr; /*源地址(Source address)*/
  33. ip_address daddr; /*目的地址(Destination address)*/
  34. };
  35. //TCP协议头
  36. #define __LITTLE_ENDIAN_BITFIELD
  37. struct tcphdr
  38. {
  39. u_int16_t source_port; /*源地址端口*/
  40. u_int16_t dest_port; /*目的地址端口*/
  41. u_int32_t seq; /*序列号*/
  42. u_int32_t ack_seq; /*确认序列号*/
  43. u_int8_t res1 : 3, /*偏移*/
  44. doff : 1, /*保留*/
  45. tcp_header_length : 4;
  46. u_int8_t fin : 1, /*关闭连接标志*/
  47. syn : 1, /*请求连接标志*/
  48. rst : 1, /*重置连接标志*/
  49. psh : 1, /*接收方尽快将数据放到应用层标志*/
  50. ack : 1, /*确认序号标志*/
  51. urg : 1, /*紧急指针标志*/
  52. ece : 1, /*拥塞标志位*/
  53. cwr : 1; /*拥塞标志位*/
  54. u_int16_t flag;
  55. u_int16_t window; /*滑动窗口大小*/
  56. u_int16_t check; /*校验和*/
  57. u_int16_t urg_ptr; /*紧急字段指针*/
  58. };
  59. /*两个链表*/
  60. /*list.1==tcplist*/
  61. typedef struct tcpnode
  62. {
  63. int syn;
  64. int fin;
  65. unsigned long seq;
  66. int len;
  67. tcpnode *prev;
  68. tcpnode *next;
  69. unsigned char data[MAXETHERLEN];
  70. }node;
  71. /*list.2=tcpsession*/
  72. typedef struct tcpsession
  73. {
  74. ip_address saddr;
  75. ip_address daddr;
  76. unsigned short sport;
  77. unsigned short dport;
  78. tcpsession* next;
  79. tcpnode *tcplisthead;
  80. }tcpss;
  81. tcpsession* createtcpsession(tcpss *tcpsessionhead);
  82. bool isempty(tcpss* tcpsessionhead);
  83. bool search(tcpss *head);
  84. int insert(tcpss* tcpsessionheadconst, u_int32_t &cnt, int &flag1);
  85. void print(FILE* file, tcpss* tcpsessionhead);
  86. struct pcap_pkthdr *header;
  87. const u_char *packet_content;
  88. struct ether_header *ethernet_protocol;
  89. struct ip_header *ip_protocol;
  90. struct tcphdr *tcp_protocol;
  91. tcpsession* tcpsessionhead = (tcpsession*)malloc(sizeof(tcpsession));
  92. tcpsession* tcpsshead = tcpsessionhead;
  93. int flag = 0;
  94. u_int32_t fin_seq = 0;
  95. u_int32_t syn_seq = 0;
  96. u_int32_t cnt = 0;
  97. int flag1;
  98. int len;
  99. int main(int argc, char* argv[])
  100. {
  101. if (argc <= 1)
  102. {
  103. printf("argc<=1,break!\n");
  104. return -1;
  105. }
  106. pcap_t *adapterHandle;//适配器句柄;
  107. char errorBuffer[PCAP_ERRBUF_SIZE];//错误缓冲区;
  108. char source[PCAP_BUF_SIZE];
  109. if (pcap_createsrcstr(source, PCAP_SRC_FILE, NULL, NULL, argv[1], errorBuffer) != 0)
  110. {
  111. printf("数据源创建失败!\n");
  112. return -1;
  113. }
  114. if ((adapterHandle = pcap_open(source, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errorBuffer)) == NULL)
  115. {
  116. printf("文件打开失败!\n");
  117. return -1;
  118. }
  119. tcpsessionhead->next = NULL;;
  120. tcpsshead->next = NULL;
  121. tcpsessionhead->tcplisthead = NULL;
  122. tcpsshead->tcplisthead = NULL;
  123. FILE* file1,*file2;
  124. if (fopen_s(&file1, argv[2], "w+") != 0)
  125. {
  126. printf("打开文件失败!\n");
  127. }
  128. if (fopen_s(&file2, argv[3], "w+") != 0)
  129. {
  130. printf("打开文件失败!\n");
  131. }
  132. int pkt_number = 1;
  133. int res;
  134. int flag3 = 0;
  135. while ((res = pcap_next_ex(adapterHandle, &header, &packet_content)) >= 0)
  136. {
  137. if (res == 0)/* 超时时间到 */
  138. continue;
  139. printf("这是第%d个数据包!\n", pkt_number++);
  140. /*for (int i = 1; i <= header->len; i++)
  141. {
  142. printf("%02x ", packet_content[i - 1]);
  143. if (i % 8 == 0)
  144. printf(" ");
  145. if (i % 16 == 0)
  146. printf("\n");
  147. }
  148. printf("\n");*/
  149. ethernet_protocol = (struct ether_header*)packet_content;
  150. ip_protocol = (struct ip_header *)(packet_content + sizeof(ether_header));
  151. tcp_protocol = (struct tcphdr *) (packet_content + sizeof(ether_header) + sizeof(ip_header));
  152. int ip_len = ntohs(ip_protocol->ip_length);
  153. printf("%d.%d.%d.%d\n", ip_protocol->saddr.byte1, ip_protocol->saddr.byte2, ip_protocol->saddr.byte3, ip_protocol->saddr.byte4);
  154. printf("%d.%d.%d.%d\n", ip_protocol->daddr.byte1, ip_protocol->daddr.byte2, ip_protocol->daddr.byte3, ip_protocol->daddr.byte4);
  155. len = ip_len - sizeof(ip_header) - tcp_protocol->tcp_header_length * 4;
  156. printf("长度:%d %d\n", ip_len - sizeof(ip_header) - tcp_protocol->tcp_header_length * 4, sizeof(ip_header) + tcp_protocol->tcp_header_length * 4);
  157. printf("%02x %02x\n", ntohs(tcp_protocol->source_port), ntohs(tcp_protocol->dest_port));
  158. printf("%u %u\n", ntohl(tcp_protocol->seq), ntohl(tcp_protocol->ack_seq));
  159. printf("syn and fin:%d %d\n", tcp_protocol->syn, tcp_protocol->fin);
  160. if (tcp_protocol->syn == 1)
  161. {
  162. tcpsshead=createtcpsession(tcpsshead);
  163. }
  164. else if (tcp_protocol->syn == 0 && tcp_protocol->fin == 0 && len>0)
  165. {
  166. cnt = insert(tcpsessionhead, cnt, flag1);
  167. }
  168. else if (tcp_protocol->fin == 1)
  169. {
  170. if (flag3 == 0)
  171. {
  172. print(file1,tcpsessionhead);
  173. ///fclose(file1);
  174. flag3 = 1;
  175. }
  176. else
  177. {
  178. print(file2, tcpsessionhead);
  179. //fclose(file2);
  180. }
  181. }
  182. printf("\n");
  183. }
  184. if (res == -1)
  185. {
  186. printf("Error reading the packets: %s\n", pcap_geterr(adapterHandle));
  187. return -1;
  188. }
  189. return 0;
  190. }
  191. tcpsession* createtcpsession(tcpss *tcpsessionhead)
  192. {
  193. tcpss *root = tcpsessionhead;
  194. while (!isempty(root))
  195. {
  196. root = root->next;
  197. }
  198. root->saddr.byte1 = ip_protocol->saddr.byte1;
  199. root->saddr.byte2 = ip_protocol->saddr.byte2;
  200. root->saddr.byte3 = ip_protocol->saddr.byte3;
  201. root->saddr.byte4 = ip_protocol->saddr.byte4;
  202. root->daddr.byte1 = ip_protocol->daddr.byte1;
  203. root->daddr.byte2 = ip_protocol->daddr.byte2;
  204. root->daddr.byte3 = ip_protocol->daddr.byte3;
  205. root->daddr.byte4 = ip_protocol->daddr.byte4;
  206. root->sport = tcp_protocol->source_port;
  207. root->dport = tcp_protocol->dest_port;
  208. root->next = (tcpss*)malloc(sizeof(tcpss));
  209. root->next->next = NULL;
  210. root->next->tcplisthead = NULL;
  211. return root;
  212. }
  213. bool isempty(tcpss* tcpsessionhead)
  214. {
  215. if (tcpsessionhead->next == NULL)
  216. return true;
  217. else
  218. return false;
  219. }
  220. bool search(tcpss *head)
  221. {
  222. if ((head->saddr.byte1 == ip_protocol->saddr.byte1&&head->saddr.byte2 == ip_protocol->saddr.byte2&&head->saddr.byte3 == ip_protocol->saddr.byte3&&head->saddr.byte4 == ip_protocol->saddr.byte4
  223. &&head->daddr.byte1 == ip_protocol->daddr.byte1&&head->daddr.byte2 == ip_protocol->daddr.byte2&&head->daddr.byte3 == ip_protocol->daddr.byte3&&head->daddr.byte4 == ip_protocol->daddr.byte4
  224. &&head->sport == tcp_protocol->source_port&&head->dport == tcp_protocol->dest_port))
  225. return true;
  226. else
  227. return false;
  228. }
  229. int insert(tcpss* tcpsessionhead, u_int32_t &cnt, int &flag1)
  230. {
  231. tcpss* tcpsshead = tcpsessionhead;
  232. while (!search(tcpsshead))
  233. {
  234. tcpsshead = tcpsshead->next;
  235. }
  236. if (tcpsshead->tcplisthead == NULL)
  237. {
  238. cnt += len;
  239. tcpnode* tcpnodehead = (tcpnode*)malloc(sizeof(tcpnode));
  240. tcpsshead->tcplisthead = tcpnodehead;
  241. tcpnodehead->prev = tcpsshead->tcplisthead;
  242. tcpnodehead->syn = tcp_protocol->syn;
  243. tcpnodehead->fin = tcp_protocol->fin;
  244. tcpnodehead->seq = ntohl(tcp_protocol->seq);
  245. tcpnodehead->len = len;
  246. tcpnodehead->next = NULL;
  247. for (int i = 0; i < tcpnodehead->len; i++)
  248. tcpnodehead->data[i] = packet_content[i + sizeof(ether_header)+sizeof(ip_header) + tcp_protocol->tcp_header_length * 4];
  249. }
  250. else
  251. {
  252. tcpnode* tcpnodehead = tcpsshead->tcplisthead;
  253. tcpnode* tcpnewnode = (tcpnode*)malloc(sizeof(tcpnode));
  254. tcpnewnode->syn = tcp_protocol->syn;
  255. tcpnewnode->fin = tcp_protocol->fin;
  256. tcpnewnode->seq = ntohl(tcp_protocol->seq);
  257. tcpnewnode->len = len;
  258. tcpnewnode->next = NULL;
  259. for (int i = 0; i < tcpnewnode->len; i++)
  260. {
  261. tcpnewnode->data[i] = packet_content[i + sizeof(ether_header) + sizeof(ip_header) + tcp_protocol->tcp_header_length * 4];
  262. }
  263. if (tcp_protocol->fin == 1)
  264. flag1 = 1;
  265. if (tcpnodehead->seq > tcpnewnode->seq)
  266. {
  267. cnt += len;
  268. tcpsshead->tcplisthead = tcpnewnode;
  269. tcpnewnode->prev = tcpsshead->tcplisthead;
  270. tcpnewnode->next = tcpnodehead;
  271. tcpnodehead->prev = tcpnewnode;
  272. }
  273. else if(tcpnodehead->seq < tcpnewnode->seq)
  274. {
  275. cnt += len;
  276. while (tcpnodehead->seq < tcpnewnode->seq)
  277. {
  278. if (tcpnodehead->next == NULL||tcpnodehead->next->seq > tcpnewnode->seq)
  279. {
  280. tcpnewnode->prev = tcpnodehead;
  281. tcpnewnode->next = tcpnodehead->next;
  282. tcpnodehead->next = tcpnewnode;
  283. tcpnodehead->next->prev = tcpnewnode;
  284. break;
  285. }
  286. else
  287. tcpnodehead = tcpnodehead->next;
  288. }
  289. }
  290. }
  291. return cnt;
  292. }
  293. void print(FILE* file, tcpss* tcpsessionhead)
  294. {
  295. tcpss* tcpsshead = tcpsessionhead;
  296. while (!search(tcpsshead))
  297. {
  298. tcpsshead = tcpsshead->next;
  299. }
  300. tcpnode* tcpnodehead=tcpsshead->tcplisthead;
  301. while (tcpnodehead->next != NULL)
  302. {
  303. for (int i = 1; i < tcpnodehead->len; i++)
  304. {
  305. printf("%c", tcpnodehead->data[i - 1]);
  306. fprintf(file, "%c", tcpnodehead->data[i - 1]);
  307. }
  308. //if (tcpnodehead->next == NULL)
  309. //break;
  310. //else
  311. tcpnodehead = tcpnodehead->next;
  312. }
  313. }
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注