597435012 597435003 597435004 597435010 597435015

AgendaIntroductionFunctionsAppendix

Introduction1.1 Purpose1.2 System1.31.41.5

1.1 Purpose1.Packet capture library (libpcap) 2.headerpayload 3.(IP address/ICMP/ALL)4.Filter/All Packet 5.Save/Load

1.2 system

Linux base C ::rpm.:(:tcpdump.doc)

1.3 pcap_lookupdev( )pcap_open_live( )pcap_compile( )pcap_setfilter( )pcap_next( )pcap_loop( )

1.3:

errbuf

char *pcap_lookupdev(char *errbuf)

1.4

//device //snaplen bytes //promisc promiscuousnon-promiscuous //to_ms kernel space user space //errbuf packet capture descriptor NULL

pcap_t *pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf)

1.5 (1/4),.

&

pcap_compile()

pcap_setfilter()

1.5(2/4)

1filter express = ip , express = src ip 2filterBPF program

3BPF programfilter ()

1.5 (3/4)

//pcap_t *p pcap_open_live packet capture descriptor//str //netmasknetmask //struct bpf_program *fpfpstruct bpf_program bpf_program

pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask)

1.5 (4/4)

//

//device //netp //maskp

pcap_setfilter(pcap_t *p, struct bpf_program *fp)

pcap_lookupnet(const char *device,bpf_u_int32 *netp,bpf_u_int32 *maskp,char *errbuf)

FunctionsPcap_next()Pcap_loop()

Pcap_next() Pcap_next()

1.The first argument is our session handler. 2.The second argument is a pointer to a structure that holds general information about the packet, specifically the time in which it was sniffed, the length of this packet, and the length of his specific portion (incase it is fragmented, for example.) pcap_next() returns a u_char pointer to the packet that is described by this structure

u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h)

Pcap_loop()Pcap_loop()

1.The first argument is our session handle.2.Following that is an integer that tells pcap_loop() how many packets it should sniff for before returning (a negative value means it should sniff until an error occurs).3. The third argument is the name of the callback function (just its identifier, no parentheses). 4.The last argument is useful in some applications, but many times is simply set as NULL .

int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)

1.11.2

1.1

1.2 item 1

1.2 item 2

1.2 item 3

1.2 item 5

1.2 item 6

1. 2.3.

bug1.Item 4-Save/Load information to File merge into codec. 1/17 ,savenetcapture_01182. Pcap_loop()

=>=>=>=>web office Demo=>=>Filter=>IP adress:Filter ICMP:Filter all:Save/load:Code :,:Demo:,

(I)

2008/11/152008/11/252008/12/22008/12/8Skypeskypeskypeallallallall1. 2. 3.1. 2. 3. Wireshark/ TCPdump 4. 11/27 Presentation 1. Web office ==> 2. 1. and final define define=> => => => => Presentation=>

(II)

2008/12/92008/12/112008/12/252009/1/13skypeskypeskypeskypeallallallall1.Go through, .Weoffice , codecheck : code-->1/6 --> IP address --> ICMP --> all --> save/load --> code --> , --> 1/9 -> -->1/12 Review -->1/13 Demo=>& -> 1/181. Review 2. check 1/18 demo

Appendixhttp://www.wireshark.org/http://docstore.mik.ua/orelly/networking_2ndEd/tshoot/ch05_04.htmhttp://www.at.tcpdump.org/pcap.htm

Thank You !

pcap_next()pcap_open_livepcaket capture descriptorPcap_next()u_char

pcappcap,pcap_loop()pcap_dispatch()user space

task1. 2. 3.Web office pcaplayer 2EthernetLayer 3 IPLayer 4 TCP UDPICMPICMP Protocol layer 2 Header14 bytes type0x0800PayloadIPICMP Protocol IP HeaderProtocol FieldC Header Filed CTCPDUMP