Libpcap tutorial-01

• Download libpcap source from www.tcpdump.org here

• Download libpcap for win32 fromwww.winpcap.org

• Check out a better pcap tutorial here

Front matter:  This is a slightly modified and extended version of my older pcap tutorial.  Revisiting this work five years later, I am necessarily dumber (age and beer) yet hopefully somewhat more knowledgeable.  Contact information has changed, please send your hate-mail to casado at cs.stanford.edu.

Contents

• Intro (You are already here)

• Capturing our First Packet

• Writing a Basic Packet Capturing Engine

• Analyzing packets..... (in progress)

Who this is for:  This tutorial assumes a cursory knowledge in networks; what a packet is, Ethernet vs. IP vs. TCP vs. UDP etc. If these concepts are foreign I highly suggest you invest in a good (e.g. probably can't find at Best Buy) networking book.  My favorites are:

• Computer Networking : A Top-Down Approach Featuring the Internet (3rd Edition) by James F. Kurose, Keith W. Ross
  

• UNIX Network Programming by W. Richard Stevens

• The Protocols (TCP/IP Illustrated, Volume 1) by W. Richard Stevens

This tutorial does not assume any previous knowledge in network programming, just a basic familiarity with c.  If you already are a c/c++ master, then you might as well just man 3 pcap.  You should have a working c compiler on your system and libpcap installed.  All source in this section was written and tested on linux, kernel 2.2.14, while it should be mostly portable (hehe) I can't guarantee that it will compile or run on other operating systems.  You are going to want to run as root so be careful and be sure not to break your box in the meantime. Oh, and though I have tested and run all the code presented in this tutorial with no problems, I am NOT responsible if your shit breaks and has to be quarantined by the health department...  aka play at your own risk....  

hcn# gcc ldev.c -lpcap

/* ldev.c   
   编译指令
   >gcc ldev.c -lpcap

   查询网卡, 展示与该网卡相关的网络地址和子网掩码
*/
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>      /* GIMME a libpcap plz! */
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(int argc, char **argv)
{
  char *dev; /* 网卡名称 */ 
  char *net; /* 用点标识的网络地址  */
  char *mask;/* 用点标识的子网掩码  */
  int ret;   /* 返回标识 */
  
  char errbuf[PCAP_ERRBUF_SIZE];    /* 错误信息 */
  bpf_u_int32 netp;     /* 网络地址          */
  bpf_u_int32 maskp;    /* 子网掩码 */
  
  struct in_addr addr;

  /* 通过pcap去发现一个可用的网卡用于嗅探 */
  dev = pcap_lookupdev(errbuf);

  /* 检测是否找到可用网卡 */
  if(dev == NULL)
  {
   printf("%s\n",errbuf);
   exit(1);
  }

  /* 打印网卡名称 */
  printf("DEV: %s\n",dev);

  /* 通过pcap查询网卡的网络地址和子网掩码*/
  ret = pcap_lookupnet(dev,&netp,&maskp,errbuf);

  /* 检测上不操作是否成功 */
  if(ret == -1)
  {
   printf("%s\n",errbuf);
   exit(1);
  }

  /* 将网络地址从网络格式转化为人可读格式*/
  addr.s_addr = netp;
  net = inet_ntoa(addr);

  /* 检测转化是否成功 */
  if(net == NULL)
  {
    perror("inet_ntoa");
    exit(1);
  }

  /* 打印网络地址*/
  printf("NET: %s\n",net);

  /* 将子网掩码地址从网络格式转为人可读格式*/
  addr.s_addr = maskp;
  mask = inet_ntoa(addr);
  
  if(mask == NULL)
  {
    perror("inet_ntoa");
    exit(1);
  }
  
  /* 打印子网掩码*/
  printf("MASK: %s\n",mask);

  return 0;
}

加入编译和执行正确，控制台将显示如下信息：

DEV: eth0
NET: 192.168.12.0
MASK: 255.255.255.0

The value for DEV is your default interface name (likely eth0 on linux, could be eri0 on solaris). The NET and MASK values are your primary interface's subnet and subnet mask.  Don't know what those are? Might want to read this.

"So what did we just do?", you ask.  Well, we just asked libpcap to give us some specs on an interface to listen on.
"Whats an interface?"
Just think of an interface as your computers hardware connection to whatever network your computer is connected to.  On Linux, eth0 denotes the first Ethernet card in your computer.  (btw you can list all of your interfaces using the ifconfig command).

OK at this point we can compile a pcap program that essentially does nothing.  On to grabbing our first packet ...