LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-15-2010, 09:48 AM   #1
yujiliang
LQ Newbie
 
Registered: Jul 2010
Location: Beijing,China
Posts: 4

Rep: Reputation: 1
how can i just use dumpfile function of libpcap?


These days i try make a simple sniffer for a embedded system. and it need the function of dump all the packets into a file, which can be read by wireshark..etc. First i copy a code called simplesniffer.c from the Internet,and and now I want to add the dumpfile funtion to it. i find some problems.
Quote:
/* Come from ---- http://blog.chinaunix.net/u/24474/showart_226419.html */
/* simplesniffer.c */
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <linux/if_ether.h>
#include <linux/in.h>
#include <stdlib.h>

#define BUFFER_MAX 2048

int main(int argc, char *argv[])
{

int sock, n_read, proto;
char buffer[BUFFER_MAX];
char *ethhead, *iphead, *tcphead,
*udphead, *icmphead, *p; /* 全程序都要用到P作为中间变量 */

/* 创建原始套接字,,,,RAW表示传送完整的数据帧而不想DGRAM那样除去以太网头部 */
if((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_IP))) < 0)
{
fprintf(stdout, "create socket error\n");
exit(0);
}

while(1)
{ /* 接收到数据帧*/
n_read = recvfrom(sock, buffer, 2048, 0, NULL, NULL);
/*
14 6(dest)+6(source)+2(type or length)
+
20 ip header
+
8 icmp,tcp or udp header
= 42
*/
if(n_read < 42) /*没有数据的情况下至少应该这么大,如果不懂先去看看TCP/IP*/
{
fprintf(stdout, "Incomplete header, packet corrupt\n");
continue;
}

ethhead = buffer;
p = ethhead;
int n = 0XFF;
printf("\nMAC: %.2X:%02X:%02X:%02X:%02X:%02X==>"
"%.2X:%.2X:%.2X:%.2X:%.2X:%.2X\n",
p[6]&n, p[7]&n, p[8]&n, p[9]&n, p[10]&n, p[11]&n,/*数据帧第二个6个字节为源MAC地址*/
p[0]&n, p[1]&n, p[2]&n,p[3]&n, p[4]&n, p[5]&n); /*数据帧前6个字节为目标MAC地址*/

iphead = ethhead + 14; /*14=6+6+2 ,,, 2为类型字段*/
p = iphead + 12; /*源和目的IP地址在12字节之后*/

printf("IP: %d.%d.%d.%d => %d.%d.%d.%d\n",
p[0]&0XFF, p[1]&0XFF, p[2]&0XFF, p[3]&0XFF, /*源IP*/
p[4]&0XFF, p[5]&0XFF, p[6]&0XFF, p[7]&0XFF); /*目的IP*/
proto = (iphead + 9)[0]; /*iphead是数组名或指针 所以proto就是一个值了*/
p = iphead + 20; /*20是普通IP首部长度,,,,,,,如果有选项呢?会出错?能模拟出有选项的IP数据包么?*/
printf("Protocol: ");
switch(proto)
{ /* IPPROTO_ICMP等定义在 /linux/in.h 中 */
case IPPROTO_ICMP: printf("ICMP\n");break;
case IPPROTO_IGMP: printf("IGMP\n");break;
case IPPROTO_IPIP: printf("IPIP\n");break;
case IPPROTO_TCP :
case IPPROTO_UDP :
printf("%s,", proto == IPPROTO_TCP ? "TCP": "UDP");
/* 利用位运算,得到PORT的二进制数,再以unsigned(无符号整形)格式输出*/
printf("source port: %u,",(p[0]<<8)&0XFF00 | p[1]&0XFF);/*TCP头前两个字节*/
printf("dest port: %u\n", (p[2]<<8)&0XFF00 | p[3]&0XFF); /*TCP头第二个 两个字节*/
break;
case IPPROTO_RAW : printf("RAW\n");break;
defaultrintf("Unkown, please query in include/linux/in.h\n");
}
}
}
i changed it like this and of course it doesn't work...

Quote:
......
/*for pcap--dumppacket part*/
#include <pcap.h>

#define BUFFER_MAX 2048
#define DUMP_FILE "/dumpfile.cap"
#define SNAPLEN 1514
#define PROMISC 1
#define READ_TIMEOUT 500
pcap_t * pd; /* pcap device descriptor */
pcap_dumper_t * p; /* pointer to pcap dump file for writing */

/*FILE *fp;/*dump packet*/

/*after press Ctrl+c do this*/
void sig_int( int sig )
{

printf("Dump Well\n");
/* Close the pcap device */
pcap_close(pd);
/* close dump file */
pcap_dump_close(p);
exit( 0 );
}

int main(int argc, char *argv[])
{

int sock, n_read, proto;
char buffer[BUFFER_MAX];
char errorbuf[PCAP_ERRBUF_SIZE];
char *ethhead, *iphead, *tcphead,
*udphead, *icmphead, *p; /* 全程序都要用到P作为中间变量 */

/* 创建原始套接字,,,,RAW表示传送完整的数据帧而不想DGRAM那样除去以太网头部 */
if((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_IP))) < 0)
{
fprintf(stdout, "create socket error\n");
exit(0);
}
/*open the Dump file*/
/*fp = fopen(DUMP_FILE, "w");*/


while(1)
{ /* 接收到数据帧,buffer指向包的起始地址*/
n_read = recvfrom(sock, buffer, 2048, 0, NULL, NULL);
/*
14 6(dest)+6(source)+2(type or length)
+
20 ip header
+
8 icmp,tcp or udp header
= 42
*/

/*Dump every packet*/
/* fwrite(buffer, n_read, 1, fp);*/
/*Dump over*/

/*Use pcap_open_live()or now? Try first pd = buffer*/
pd = pcap_open_live("eth0", SNAPLEN, PROMISC, READ_TIMEOUT, errorbuf); /*Pcap open for dumpfile*/
p = pcap_dump_open(pd, DUMP_FILE);



if(n_read < 42) /*没有数据的情况下至少应该这么大,如果不懂先去看看TCP/IP*/
{
fprintf(stdout, "Incomplete header, packet corrupt\n");
........
i wanna ask how can i use some beautiful ways to use the dumpfile function of the libpcap? hope some fellas help me with this.
thanks.
 
Old 07-15-2010, 10:20 AM   #2
necro351
LQ Newbie
 
Registered: Jan 2010
Posts: 9

Rep: Reputation: 2
tons of code that i don't want to read

If you post a lot of code, it takes me a long time to read it, and I actually don't understand what you even want. If you are legitimately trying to dump sniffed packets to a file, are you quite sure wireshark doesn't just let you redirect them to standard out? After the sniffing, you can just grep for what you want. If you have to do it with C (why??) then it sounds like a homework assignment, and I don't want to help you anyway.
 
Old 07-15-2010, 12:13 PM   #3
yujiliang
LQ Newbie
 
Registered: Jul 2010
Location: Beijing,China
Posts: 4

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by necro351 View Post
If you post a lot of code, it takes me a long time to read it, and I actually don't understand what you even want. If you are legitimately trying to dump sniffed packets to a file, are you quite sure wireshark doesn't just let you redirect them to standard out? After the sniffing, you can just grep for what you want. If you have to do it with C (why??) then it sounds like a homework assignment, and I don't want to help you anyway.
I feel sorry i make u feel sad about my question. in fact, i just want to know if i get every packet through

n_read = recvfrom(sock, buffer, 2048, 0, NULL, NULL);

Instead of use pcap_next(...),pcap_loop(...),etc pcap functions,then, can i use the functions in libpcap directly,like

pd = pcap_open_live("eth0", SNAPLEN, PROMISC, READ_TIMEOUT, errorbuf); /*Pcap open for dumpfile*/
p = pcap_dump_open(pd, DUMP_FILE);
pcap_dump(...);

etc dump packet functions, to dump packet get through recvfrom(...)?
Wireshark need the dumpfile have some other info like time, length, ...instead of a just raw packet.
thank you for your reply, for this is my first question.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"cannot stat `libpcap.so.1.0.0':" error during make of Libpcap 1.0.0 on Fedora 9 myriad_moments Linux - Software 4 04-09-2010 03:02 AM
[SOLVED] Threaded function cannot call a function with extern "C" but nonthreaded function can morty346 Programming 16 01-12-2010 06:00 PM
libpcap thealphajustin Linux - Newbie 2 09-22-2006 05:52 PM
Loading sql dumpfile into mySQL patpawlowski Programming 2 01-24-2004 09:01 AM
libpcap oulevon Linux - General 1 09-25-2001 10:06 AM


All times are GMT -5. The time now is 09:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration