循序渐进学习使用WINPCAP（七）

处理脱机的转储文件

在这一章，我们将要学习如何处理数据包，继而将它转储到文件中。WinPcap提供了丰富的函数来将流经网络的数据包保存到一个转储文件并且读取转储文件的内容。这一章将讲述如何使用这些函数。我们也将看到如何使用WinPcap的内核转储功能来得到高性能的转储（注意：目前，由于新内核缓存的一些问题，这个功能暂时被关闭）。

转储文件的格式很简单，是libpcap的一种。它包含了所捕捉的数据报的二进制内容，这种格式也是很多网络工具的标准，如WinDump，Ethereal和Snort。

• 关于如何将数据报保存到转储文件

首先，让我们看看如何以libpcap的格式书写数据报。下面的例子从所选的接口捕捉数据报并将它们存储到一个用户指定的文件。

 #include "pcap.h"/* 处理数据的函数原型 */void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);int main(int argc, char **argv){pcap_if_t *alldevs;pcap_if_t *d;int inum;int i=0;pcap_t *adhandle;/* 定义文件句柄 */char errbuf[PCAP_ERRBUF_SIZE];pcap_dumper_t *dumpfile; /* 检查命令行 */ if(argc != 2) { printf("usage: %s filename", argv[0]); return -1; } /* 获取本地驱动刘表 */ if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1) { fprintf(stderr,"Error in pcap_findalldevs: %s/n", errbuf); exit(1); } /* 打印列表 */ for(d=alldevs; d; d=d->next) { printf("%d. %s", ++i, d->name); if (d->description) printf(" (%s)/n", d->description); else printf(" (No description available)/n"); } if(i==0) { printf("/nNo interfaces found! Make sure WinPcap is installed./n"); return -1; } printf("Enter the interface number (1-%d):",i); scanf_s("%d", &inum); if(inum < 1 || inum > i) { printf("/nInterface number out of range./n"); /* 释放资源*/ pcap_freealldevs(alldevs); return -1; } /* 跳转到指定网卡 */ for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++); /* 打开设备 */ if ( (adhandle= pcap_open(d->name, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errbuf ) ) == NULL) { fprintf(stderr,"/nUnable to open the adapter. %s is not supported by WinPcap/n", d->name); /* 释放资源 */ pcap_freealldevs(alldevs); return -1; } /* 打开转储文件 */ dumpfile = pcap_dump_open(adhandle, argv[1]); if(dumpfile==NULL) { fprintf(stderr,"/nError opening output file/n"); return -1; } printf("/nlistening on %s... Press Ctrl+C to stop.../n", d->description); /* 释放资源 */ pcap_freealldevs(alldevs); /* 开始捕捉 */ pcap_loop(adhandle, 0, packet_handler, (unsigned char *)dumpfile); return 0;}/* Callback function invoked by libpcap for every incoming packet */void packet_handler(u_char *dumpfile, const struct pcap_pkthdr *header, const u_char *pkt_data){ /* 保存数据报至转储文件 */ pcap_dump(dumpfile, header, pkt_data);}

正如你所看到的那样，程序的结构与前几章的非常相似。不同在于：

1. 一旦打开网卡就调用pcap_dump_open()来打开一个文件，该调用将文件与某个网卡相关联
2. packet_handler()内部通过调用pcap_dump()来将捕捉到的数据报存储到文件。pcap_dump()的参数和pcap_handler()的参数一一对应的。

• 从转储文件中读取数据报

现在，我们已经拥有了一个可用的转储文件，我们来试着读取它的内容。下面的代码打开一个WinPcap/libpcap的转储文件，并且显示文件中每个数据报的内容。文件是用pcap_open_offline()打开的，之后用pcap_loop()来循环从文件中读取数据。你就会发现，所读取的离线的数据几乎和从物理网卡上读取的一模一样。

这个例子中引入了另一个函数：pcap_createsrcsrc()。这个函数需要创建以一个标记开头的源字符串，这个标记是用来告诉WinPcap源的类型。例如，如果我们要打开一个适配器，标记就为“rpcap://”；如果我们要打开一个文件，就标记“file://”。如果用了函数pcap_findalldevs_ex()，这一步就不需要了，因为此函数的返回值以已经包含了那个源字符串了。然而，在这个例子中这一步是需要的，因为文件的名字是用户输入的。

#include <stdio.h>#include <pcap.h>#define LINE_LEN 16void dispatcher_handler(u_char *, const struct pcap_pkthdr *, const u_char *);int main(int argc, char **argv){pcap_t *fp;char errbuf[PCAP_ERRBUF_SIZE];char source[PCAP_BUF_SIZE]; if(argc != 2){ printf("usage: %s filename", argv[0]); return -1; } /* 根据新的WinPcap语法创建源字符串 */ if ( pcap_createsrcstr( source, // variable that will keep the source string PCAP_SRC_FILE, // we want to open a file NULL, // remote host NULL, // port on the remote host argv[1], // name of the file we want to open errbuf // error buffer ) != 0) { fprintf(stderr,"/nError creating a source string/n"); return -1; } /* 打开捕捉文件 */ if ( (fp= pcap_open(source, // name of the device 65536, // portion of the packet to capture // 65536 guarantees that the whole packet will be captured on all the link layers PCAP_OPENFLAG_PROMISCUOUS, // promiscuous mode 1000, // read timeout NULL, // authentication on the remote machine errbuf // error buffer ) ) == NULL) { fprintf(stderr,"/nUnable to open the file %s./n", source); return -1; } // read and dispatch packets until EOF is reached pcap_loop(fp, 0, dispatcher_handler, NULL); return 0;}void dispatcher_handler(u_char *temp1, const struct pcap_pkthdr *header, const u_char *pkt_data){ u_int i=0; /* * Unused variable */ (VOID)temp1; /* print pkt timestamp and pkt len */ printf("%ld:%ld (%ld)/n", header->ts.tv_sec, header->ts.tv_usec, header->len); /* Print the packet */ for (i=1; (i < header->caplen + 1 ) ; i++) { printf("%.2x ", pkt_data[i-1]); if ( (i % LINE_LEN) == 0) printf("/n"); } printf("/n/n"); }

下面的例子与上面的功能一样，只不过pcap_next_ex()用来代替pcap_loop()循环读取数据而已。

 #include <stdio.h>#include <pcap.h>#define LINE_LEN 16int main(int argc, char **argv){pcap_t *fp;char errbuf[PCAP_ERRBUF_SIZE];char source[PCAP_BUF_SIZE];struct pcap_pkthdr *header;const u_char *pkt_data;u_int i=0;int res; if(argc != 2) { printf("usage: %s filename", argv[0]); return -1; } /* Create the source string according to the new WinPcap syntax */ if ( pcap_createsrcstr( source, // variable that will keep the source string PCAP_SRC_FILE, // we want to open a file NULL, // remote host NULL, // port on the remote host argv[1], // name of the file we want to open errbuf // error buffer ) != 0) { fprintf(stderr,"/nError creating a source string/n"); return -1; } /* Open the capture file */ if ( (fp= pcap_open(source, // name of the device 65536, // portion of the packet to capture // 65536 guarantees that the whole packet will be captured on all the link layers PCAP_OPENFLAG_PROMISCUOUS, // promiscuous mode 1000, // read timeout NULL, // authentication on the remote machine errbuf // error buffer ) ) == NULL) { fprintf(stderr,"/nUnable to open the file %s./n", source); return -1; } /* Retrieve the packets from the file */ while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0) { /* print pkt timestamp and pkt len */ printf("%ld:%ld (%ld)/n", header->ts.tv_sec, header->ts.tv_usec, header->len); /* Print the packet */ for (i=1; (i < header->caplen + 1 ) ; i++) { printf("%.2x ", pkt_data[i-1]); if ( (i % LINE_LEN) == 0) printf("/n"); } printf("/n/n"); } if (res == -1) { printf("Error reading the packets: %s/n", pcap_geterr(fp)); } return 0;}

• 用pcap_live_dump将数据写入到转储文件

注意：就目前而言，由于新内核缓存的一些问题，这项功能被关闭。

当前的WinPcap版本提供更进一步的方法保存网络数据到磁盘，该方法为pcap_live_dump()函数。pcap_live_dump()有三个参数：文件名，文件所允许达到的最大的大小（byte）以及该文件最大允许容纳的最大的数据报的数量。后两个参数为0意味着没有限制。该程序内可以设置一个过滤器（使用pcap_setfilter()，可参见过滤数据那章）在调用pcap_live_dump()之前，来定义要保存的子数据。

pcap_live_dump()是非阻塞的，所以它会一开始转储就立刻返回：数据的转储过程会异步进行，直到文件到达指定的最大长度或最大数据报的数目为止。

应用程序能够用pcap_live_dump_ended()来等待或检查数据是否转储完毕。如果指定的最大长度参数和数据报数量为0，则该操作将永远阻塞。

/* * Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy) * Copyright (c) 2005 - 2006 CACE Technologies, Davis (California) * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the Politecnico di Torino, CACE Technologies * nor the names of its contributors may be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */#include <stdlib.h>#include <stdio.h>#include <pcap.h>#error At the moment the kernel dump feature is not supported in the drivermain(int argc, char **argv) { pcap_if_t *alldevs, *d; pcap_t *fp; u_int inum, i=0; char errbuf[PCAP_ERRBUF_SIZE]; printf("kdump: saves the network traffic to file using WinPcap kernel-level dump faeature./n"); printf("/t Usage: %s [adapter] | dump_file_name max_size max_packs/n", argv[0]); printf("/t Where: max_size is the maximum size that the dump file will reach (0 means no limit)/n"); printf("/t Where: max_packs is the maximum number of packets that will be saved (0 means no limit)/n/n"); if(argc < 5){ /* The user didn't provide a packet source: Retrieve the device list */ if (pcap_findalldevs(&alldevs, errbuf) == -1) { fprintf(stderr,"Error in pcap_findalldevs: %s/n", errbuf); exit(1); } /* Print the list */ for(d=alldevs; d; d=d->next) { printf("%d. %s", ++i, d->name); if (d->description) printf(" (%s)/n", d->description); else printf(" (No description available)/n"); } if(i==0) { printf("/nNo interfaces found! Make sure WinPcap is installed./n"); return -1; } printf("Enter the interface number (1-%d):",i); scanf("%d", &inum); if(inum < 1 || inum > i) { printf("/nInterface number out of range./n"); /* Free the device list */ return -1; } /* Jump to the selected adapter */ for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++); /* Open the device */ if ( (fp = pcap_open_live(d->name, 100, 1, 20, errbuf) ) == NULL) { fprintf(stderr,"/nError opening adapter/n"); return -1; } /* Free the device list */ pcap_freealldevs(alldevs); /* Start the dump */ if(pcap_live_dump(fp, argv[1], atoi(argv[2]), atoi(argv[3]))==-1){ printf("Unable to start the dump, %s/n", pcap_geterr(fp)); return -1; } } else{ /* Open the device */ if ( (fp= pcap_open_live(argv[1], 100, 1, 20, errbuf) ) == NULL) { fprintf(stderr,"/nError opening adapter/n"); return -1; } /* Start the dump */ if(pcap_live_dump(fp, argv[0], atoi(argv[1]), atoi(argv[2]))==-1){ printf("Unable to start the dump, %s/n", pcap_geterr(fp)); return -1; } } /* Wait until the dump finishes, i.e. when max_size or max_packs is reached*/ pcap_live_dump_ended(fp, TRUE); /* Close the adapter, so that the file is correctly flushed */ pcap_close(fp); return 0;}

pcap_live_dump()和pcap_dump()的不同之处，撇开设置的限制不说就是性能的问题。pcap_live_dump()采用WinPcap NPF驱动来从内核级的层次上向文件中写数据，从而使内存拷贝的最小化。

显然，这些特点当前在其他操作系统下是不能够实现的，pcap_live_dump()是WinPcap所特有的，而且只能够应用于Win32环境。

附原文：

In this lession we are going to learn how to handle packet capture to a file (dump to file). WinPcap offers a wide range of functions to save the network traffic to a file and to read the content of dumps -- this lesson will teach how to use all of these functions. We'll see also how to use the kernel dump feature of WinPcap to obtain high-performance dumps (NOTE: At the moment, due to some problems with the new kernel buffer, this feature has been disabled).

The format for dump files is the libpcap one. This format contains the data of the captured packets in binary form and is a standard used by many network tools including WinDump, Ethereal and Snort.

• Saving packets to a dump file

First of all, let's see how to write packets in libpcap format.

The following example captures the packets from the selected interface and saves them on a file whose name is provided by the user.

/* codes */

As you can see, the structure of the program is very similar to the ones we have seen in the previous lessons. The differences are:

1. a call to pcap_dump_open() is issued once the interface is opened. This call opens a dump file and associates it with the interface.
2. the packets are written to this file with a pcap_dump() from the packet_handler() callback. The parameters of pcap_dump() are in 1-1 correspondence with the parameters of pcap_handler().

• Reading packets from a dump file

Now that we have a dump file available, we can try to read its content. The following code opens a WinPcap/libpcap dump file and displays every packet contained in the file. The file is opened with pcap_open_offline(), then the usual pcap_loop() is used to sequence through the packets. As you can see, reading packets from an offline capture is nearly identical to receiving them from a physical interface.

This example introduces another function: pcap_createsrcsrc(). This function is required to create a source string that begins with a marker used to tell WinPcap the type of the source, e.g. "rpcap://" if we are going to open an adapter, or "file://" if we are going to open a file. This step is not required when pcap_findalldevs_ex() is used (the returned values already contain these strings). However, it is required in this example because the name of the file is read from the user input.

/* codes */

The following example has the same purpose of the last one, but pcap_next_ex() is used instead of the pcap_loop() callback method.

/* codes */

• Writing packets to a dump file with pcap_live_dump

NOTE: At the moment, due to some problems with the new kernel buffer, this feature has been disabled.

Recent versions of WinPcap provide a further way to save network traffic to disk, the pcap_live_dump() function. pcap_live_dump() takes three parameters: a file name, the maximum size (in bytes) that this file is allowed to reach and the maximum amount of packets that the file is allowed to contain. Zero means no limit for both these values. Notice that the program can set a filter (with pcap_setfilter(), see the tutorial Filtering the traffic) before calling pcap_live_dump() to define the subset of the traffic that will be saved.

pcap_live_dump() is non-blocking, therefore it starts the dump and returns immediately: The dump process goes on asynchronously until the maximum file size or the maximum amount of packets has been reached.

The application can wait or check the end of the dump with pcap_live_dump_ended(). Beware that if the sync parameter is nonzero, this function will block your application forever if the limits are both 0.

/* codes */

The difference between pcap_live_dump() and pcap_dump(), apart from the possibility to set limits, is performance. pcap_live_dump() exploits the ability of the WinPcap NPF driver (see NPF driver internals manual) to write dumps from kernel level, minimizing the number of context switches and memory copies.

Obviously, since this feature is currently not available on other operating systems, pcap_live_dump() is WinPcap specific and is present only under Win32.

#end