18,356
社区成员
发帖
与我相关
我的任务
分享用winpcap抓包,分析应用层时候遇到了问题
我把回调函数贴出来
typedef struct ip_header
{
u_char ver_ihl; /* Version (4 bits) + Internet header length (4 bits)*/
u_char tos; /* Type of service */
u_short tlen; /* Total length */
u_short identification; /* Identification */
u_short flags_fo; /* Flags (3 bits) + Fragment offset (13 bits)*/
u_char ttl; /* Time to live */
u_char proto; /* Protocol */
u_short crc; /* Header checksum */
ip_address saddr;/* Source address */
ip_address daddr;/* Destination address */
u_int op_pad; /* Option + Padding */
}ip_header;
typedef struct tcp_header
{
public:
u_short sport; // source port (16 bits)
u_short dport; // destination port (16 bits)
u_int seq; // sequence (32 bits)
u_int ack; // ack (32 bits)
u_char lenres; // len
u_char flag; // Flag(URG,ACK,PSH,RST,SYN,FIN) (6 bits)
u_short win; // window size(16 bits)
u_short crc; // crc (16 bits)
u_short ur_p; // urgent point (16 bits)
u_int opt; // option(0 - 32)
}tcp_header;
/* Callback function invoked by libpcap for every incoming packet */
void CWinpcapDlg::packet_handler(u_char* param, const struct pcap_pkthdr* header, const u_char* pkt_data)
{
CString szMsg;
struct tm* ltime;
char timestr[16];
ip_header* ih;
tcp_header* th;
u_int ip_len; //ip头长
u_int tcp_len; //tcp头长
u_short sport, dport;
/* convert the timestamp to readable format */
ltime = localtime(&header->ts.tv_sec);
strftime(timestr, sizeof(timestr), "%H:%M:%S", ltime);
/* retrieve the position of the ip header */
ih = (ip_header*)(pkt_data + 14); /* length of ethernet header */
/* retrieve the position of the udp header */
ip_len = (ih->ver_ihl & 0xf) * 4; //?????? ????? ?????
th = (tcp_header*)((u_char*)ih + ip_len); //tcp包开始位置的指针
/* convert from network byte order to host byte order */
tcp_len = (th->lenres>>4)<<2; //tcp头长
sport = ntohs(th->sport);
dport = ntohs(th->dport); //端口
u_char * p = (u_char*)th+tcp_len; //???问题在这里,大家看看
TRACE("caplen=%d,len=%d,data_len=%d,p_len=%d",header->caplen,header->len,strlen((char *)pkt_data),strlen((char *)p));
/* print ip addresses and udp ports */
TRACE("%s.%.6d len:%d %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d\n",
timestr, header->ts.tv_usec, header->len,
ih->saddr.byte1,
ih->saddr.byte2,
ih->saddr.byte3,
ih->saddr.byte4,
sport,
// **
ih->daddr.byte1,
ih->daddr.byte2,
ih->daddr.byte3,
ih->daddr.byte4,
dport);
}
问题出在这里,大家看看:
u_char * p = (u_char*)th+tcp_len; 那么指针p是不是应用层数据开始位置的指针呢??如果是的话,为什么 strlen((char *)p)的值总是 0呢??
typedef struct ip_header
{
u_char ver_ihl; /* Version (4 bits) + Internet header length (4 bits)*/
u_char tos; /* Type of service */
u_short tlen; /* Total length */
u_short identification; /* Identification */
u_short flags_fo; /* Flags (3 bits) + Fragment offset (13 bits)*/
u_char ttl; /* Time to live */
u_char proto; /* Protocol */
u_short crc; /* Header checksum */
ip_address saddr;/* Source address */
ip_address daddr;/* Destination address */
u_int op_pad; /* Option + Padding */
}ip_header;
typedef struct tcp_header
{
public:
u_short sport; // source port (16 bits)
u_short dport; // destination port (16 bits)
u_int seq; // sequence (32 bits)
u_int ack; // ack (32 bits)
u_char lenres; // len
u_char flag; // Flag(URG,ACK,PSH,RST,SYN,FIN) (6 bits)
u_short win; // window size(16 bits)
u_short crc; // crc (16 bits)
u_short ur_p; // urgent point (16 bits)
u_int opt; // option(0 - 32)
}tcp_header;
/* Callback function invoked by libpcap for every incoming packet */
void CWinpcapDlg::packet_handler(u_char* param, const struct pcap_pkthdr* header, const u_char* pkt_data)
{
CString szMsg;
struct tm* ltime;
char timestr[16];
ip_header* ih;
tcp_header* th;
u_int ip_len; //ip头长
u_int tcp_len; //tcp头长
u_short sport, dport;
/* convert the timestamp to readable format */
ltime = localtime(&header->ts.tv_sec);
strftime(timestr, sizeof(timestr), "%H:%M:%S", ltime);
/* retrieve the position of the ip header */
ih = (ip_header*)(pkt_data + 14); /* length of ethernet header */
/* retrieve the position of the udp header */
ip_len = (ih->ver_ihl & 0xf) * 4; //?????? ????? ?????
th = (tcp_header*)((u_char*)ih + ip_len); //tcp包开始位置的指针
/* convert from network byte order to host byte order */
tcp_len = (th->lenres>>4)<<2; //tcp头长
sport = ntohs(th->sport);
dport = ntohs(th->dport); //端口
u_char * p = (u_char*)th+tcp_len; //???问题在这里,大家看看
TRACE("caplen=%d,len=%d,data_len=%d,p_len=%d",header->caplen,header->len,strlen((char *)pkt_data),strlen((char *)p));
/* print ip addresses and udp ports */
TRACE("%s.%.6d len:%d %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d\n",
timestr, header->ts.tv_usec, header->len,
ih->saddr.byte1,
ih->saddr.byte2,
ih->saddr.byte3,
ih->saddr.byte4,
sport,
// **
ih->daddr.byte1,
ih->daddr.byte2,
ih->daddr.byte3,
ih->daddr.byte4,
dport);
}
问题出在这里,大家看看:
u_char * p = (u_char*)th+tcp_len; 那么指针p是不是应用层数据开始位置的指针呢??如果是的话,为什么 strlen((char *)p)的值总是 0呢??
...全文
请发表友善的回复…
发表回复
akyca 2007-03-16
- 打赏
- 举报
如果应用层数据是 0x00 0x00 0x10 0x20
strlen((char *)p)的值当然是零啊
没人说应用层的协议一定要是Text-based Protocol,当然也可以是Binary Protocol
strlen((char *)p)的值当然是零啊
没人说应用层的协议一定要是Text-based Protocol,当然也可以是Binary Protocol
