我正在尝试用 C 语言制作一个数据包嗅探程序,但尝试从各种公共源运行的代码不会从我的以太网罐“em1”返回流量,但总是读取“nflog 接口”。
代码如下:-
/*************************************************** * file: testpcap1.c * Date: Thu Mar 08 17:14:36 MST 2001 * Author: Martin Casado * Location: LAX Airport (hehe) * * Simple single packet capture program *****************************************************/
include
include
include /* if this gives you an error try pcap/pcap.h */
include
include
include
include
include /* includes net/ethernet.h */
int main(int argc, char **argv) { int i; char dev; //char dev[] = "em1"; / Device to sniff on / char errbuf[PCAP_ERRBUF_SIZE]; pcap_t descr; const u_char packet; struct pcap_pkthdr hdr; / pcap.h */ struct ether_header eptr; / net/ethernet.h */
u_char *ptr; /* printing out hardware header info */
/* grab a device to peak into... */
dev = pcap_lookupdev(errbuf);
if(dev == NULL)
{
printf("%s\n",errbuf);
exit(1);
}
printf("DEV: %s\n",dev);
/* open the device for sniffing.
pcap_t *pcap_open_live(char *device,int snaplen, int prmisc,int to_ms,
char *ebuf)
snaplen - maximum size of packets to capture in bytes
promisc - set card in promiscuous mode?
to_ms - time to wait for packets in miliseconds before read
times out
errbuf - if something happens, place error string here
Note if you change "prmisc" param to anything other than zero, you will
get all packets your device sees, whether they are intendeed for you or
not!! Be sure you know the rules of the network you are running on
before you set your card in promiscuous mode!! */
descr = pcap_open_live(dev,BUFSIZ,0,-3,errbuf);
if(descr == NULL)
{
printf("pcap_open_live(): %s\n",errbuf);
exit(1);
}
/*
grab a packet from descr (yay!)
u_char *pcap_next(pcap_t *p,struct pcap_pkthdr *h)
so just pass in the descriptor we got from
our call to pcap_open_live and an allocated
struct pcap_pkthdr */
packet = pcap_next(descr,&hdr);
if(packet == NULL)
{/* dinna work *sob* */
printf("Didn't grab packet\n");
exit(1);
}
/* struct pcap_pkthdr {
struct timeval ts; time stamp
bpf_u_int32 caplen; length of portion present
bpf_u_int32; lebgth this packet (off wire)
}
*/
printf("Grabbed packet of length %d\n",hdr.len);
printf("Recieved at ..... %s\n",ctime((const time_t*)&hdr.ts.tv_sec));
printf("Ethernet address length is %d\n",ETHER_HDR_LEN);
/* lets start with the ether header... */
eptr = (struct ether_header *) packet;
/* Do a couple of checks to see what packet type we have..*/
if (ntohs (eptr->ether_type) == ETHERTYPE_IP)
{
printf("Ethernet type hex:%x dec:%d is an IP packet\n",
ntohs(eptr->ether_type),
ntohs(eptr->ether_type));
}else if (ntohs (eptr->ether_type) == ETHERTYPE_ARP)
{
printf("Ethernet type hex:%x dec:%d is an ARP packet\n",
ntohs(eptr->ether_type),
ntohs(eptr->ether_type));
}else {
printf("Ethernet type %x not IP", ntohs(eptr->ether_type));
exit(1);
}
/* copied from Steven's UNP */
ptr = eptr->ether_dhost;
i = ETHER_ADDR_LEN;
printf(" Destination Address: ");
do{
printf("%s%x",(i == ETHER_ADDR_LEN) ? " " : ":",*ptr++);
}while(--i>0);
printf("\n");
ptr = eptr->ether_shost;
i = ETHER_ADDR_LEN;
printf(" Source Address: ");
do{
printf("%s%x",(i == ETHER_ADDR_LEN) ? " " : ":",*ptr++);
}while(--i>0);
printf("\n");
return 0;
}
它将输出返回为:-
DEV : nflog
然后它一直闪烁。
这里可能有什么问题?
我还尝试将 Dev 声明为 em1,但输出如下:-
DEV: em1 Didn't grab packet
Tcpdump -D给出以下输出:-
tcpdump -D 1.nflog (Linux netfilter log (NFLOG) interface) 2.nfqueue (Linux netfilter queue (NFQUEUE) interface) 3.em1 4.usbmon1 (USB bus number 1) 5.usbmon2 (USB bus number 2) 6.usbmon3 (USB bus number 3) 7.usbmon4 (USB bus number 4) 8.any (Pseudo-device that captures on all interfaces) 9.lo
答案1
这里可能有什么问题?
问题是您相信pcap_lookup()会归还您想要捕获的设备。无法保证它会这样做;相反,您应该让用户指定设备。