网络数据包检测抓包一例

代码：

   1:  /*

   2:   * =====================================================================================

   3:   *

   4:   *       Filename:  cap.c

   5:   *

   6:   *    Description:

   7:   *

   8:   *        Version:  1.0

   9:   *        Created:  03/15/2013 11:23:38 AM

  10:   *       Revision:  none

  11:   *       Compiler:  gcc

  12:   *

  13:   *         Author:  YOUR NAME (),

  14:   *        Company:

  15:   *

  16:   * =====================================================================================

  17:   */

18:

19:

  20:  #include <pcap/pcap.h>

21:

  22:  #include <stdio.h>

  23:  #include <stdlib.h>

24:

  25:  #define N 256

26:

  27:  void handler(u_char *arg, const struct pcap_pkthdr *pkthdr, const u_char *packet)

  28:  {

  29:      int i = 0;

  30:      int *count = (int *)arg;

31:

  32:      printf("Packet Count: %d\n",++(*count));

33:

  34:      printf("Received package size :%d\n",pkthdr->len);

35:

36:

  37:      printf("Payload:\n");

38:

  39:      for(i = 0; i<pkthdr->len; i++)

  40:      {

  41:          printf("%02x ", (unsigned int)packet[i]);

42:

  43:          if((i%16 == 15 && i!=0) || (i == pkthdr->len - 1))

  44:          {

  45:              printf("\n");

  46:          }

47:

48:

49:

  50:      }

  51:      printf("\n\n****************************************\n");

  52:      return ;

  53:  }

  54:  int main(int argc, char *argv[])

  55:  {

  56:      char *device;

  57:      int count = 0;

  58:      char err_buffer[N];

  59:      bpf_u_int32 netp;

  60:      bpf_u_int32 maskp;

  61:      pcap_t *p;

  62:      struct bpf_program fp;

  63:      char str[40] = "host 192.168.1.173";  //过滤条件

64:

  65:      if(argc < 2)       //获取或指定网络设备，如指定 "eth0"

  66:      {

  67:          device = pcap_lookupdev(err_buffer);

  68:      }

  69:      else

  70:      {

  71:          device = argv[1];

  72:      }

73:

  74:      printf("device : %s\n",device);

75:

  76:      if(pcap_lookupnet(device, &netp, &maskp, err_buffer) < 0)  //获取设备的网络信息

  77:      {

  78:          printf("error! %s\n",err_buffer);

  79:          exit(-1);

  80:      }

81:

  82:      if((p = pcap_open_live(device, 2048, 1, 0, err_buffer)) == NULL) //打开网络设备device，返回用于捕获数据包的句柄

  83:      {

  84:          printf("error! %s\n",err_buffer);

  85:          exit(-1);

  86:      }

87:

  88:      if(pcap_compile(p, &fp, str, 1, maskp) < 0) //根据过滤条件生成过滤器

  89:      {

  90:          printf("fail to pcap_compile");

  91:          exit(-1);

  92:      }

93:

94:

  95:      if(pcap_setfilter(p, &fp) < 0)   //安装生成的过滤器

  96:      {

  97:          printf("fail to pcap_next");

  98:          exit(-1);

  99:      }

 100:

 101:      if(pcap_loop(p, 2, handler, (u_char *)&count) < 0)  //循环捕获两帧数据

 102:      {

 103:          printf("fail to pcap_loop");

 104:          exit(-1);

 105:      }

 106:

 107:

 108:      return 0;

 109:  }

 110:

运行：

然后再windows下，或者再开一个窗口，ping 过滤条件中的ip地址。

可以看到，已经捕获到两帧数据。

可以看到，捕获到的第一帧数据的目的MAC是 ff ff ff ff ff ff ，即是一个广播数据包的目的MAC，源MAC地址是4c 72 b9 05 1e 90，它是我的windows下面的网卡的物理MAC地址。协议类型为 0806，是一个ARP协议包，用于地址解析，是数据链路层的协议。收到的第二帧数据是虚拟机回复的消息。

下面是通过抓包工具wireshark的抓包结果：