超好用的网络抓包框架（Windivert）之二（语言）

1.1基本api
WinDivertOpen //1.开启
WinDivertHelperCheckFilter //2.检测过滤条件是否按照规格
WinDivertRecv //3.接收原包
WinDivertHelperParsePacket //4.解析原包信息
WinDivertHelperCalcChecksums //5.改变校验值
//6.地址高变或者低变
WinDivertSend //7.发送原包

1.2过滤语言
WinDivertOpen () 函数接受包含筛选表达式的字符串。只有与筛选器表达式匹配的数据包才会被转移。任何其他数据包都可以按正常状态继续。筛选器允许应用程序仅选择感兴趣的通信的子集。
例如, url 黑名单筛选器只对包含 url 的数据包感兴趣。这可以通过以下过滤器来实现。
HANDLE handle = WinDivertOpen(
“outbound and ” //发出去的数据包
“tcp.PayloadLength > 0 and ” //非空有效负载
“tcp.DstPort == 80”, //tcp目标端口为80
0, 0, 0);
标准过滤器样式:
FILTER := true | false | FILTER and FILTER | FILTER or FILTER | (FILTER) | TEST
表3-1 关系表达符号表
Operator Description
== or = Equal
!= Not equal
< Less-than

Greater-than
<= Less-than-or-equal
= Greater-than-or-equal

表3-2 过滤参数名称表
Field Description
outbound Is outbound?
inbound Is inbound?
ifIdx Interface index
subIfIdx Sub-interface index
ip Is IPv4?
ipv6 Is IPv6?
icmp Is ICMP?
icmpv6 Is ICMPv6?
tcp Is TCP?
udp Is UDP?
ip.* IPv4 fields (see WINDIVERT_IPHDR)
ipv6.* IPv6 fields (see WINDIVERT_IPV6HDR)
icmp.* ICMP fields (see WINDIVERT_ICMPHDR)
icmpv6.* ICMPV6 fields (see WINDIVERT_ICMPV6HDR)
tcp.* TCP fields (see WINDIVERT_TCPHDR)
tcp.PayloadLength The TCP payload length
udp.* UDP fields (see WINDIVERT_UDPHDR)
udp.PayloadLength The UDP payload length