winpcap的QQ协议解析问题
自己定义了一个QQ包头
typedef struct _QQHeader {
BYTE Head;
WORD Version;
WORD Command;
WORD Sequence;
DWORD QQNumber;
} QQHeader, *PQQHeader;
然后从winpacp udp抓包范例改了一份
抓包回调函数是这样:
void packet_handler(u_char * param, const pcap_pkthdr * header, const u_char * pkt_data)
{
struct tm *ltime;
char timestr[16];
ip_header *ih;
udp_header *uh;
u_int ip_len;
u_short sport, dport;
time_t local_tv_sec;
/*
* unused parameter
*/
(VOID)(param);
/* convert the timestamp to readable format */
local_tv_sec = header->ts.tv_sec;
ltime = localtime(&local_tv_sec);
strftime(timestr, sizeof timestr, "%H:%M:%S", ltime);
/* print timestamp and length of the packet */
printf("%s.%.6d len:%d ", timestr, header->ts.tv_usec, header->len);
/* retireve the position of the ip header */
ih = (ip_header *)(pkt_data +
14); //length of ethernet header
/* retireve the position of the udp header */
ip_len = (ih->ver_ihl & 0xf) * 4;
uh = (udp_header *)((u_char*)ih + ip_len);
/* convert from network byte order to host byte order */
sport = ntohs(uh->sport);
dport = ntohs(uh->dport);
/* print ip addresses and udp ports */
/*
printf("%d.%d.%d.%d.%d -> %d.%d.%d.%d.%d\n",
ih->saddr.byte1,
ih->saddr.byte2,
ih->saddr.byte3,
ih->saddr.byte4,
sport,
ih->daddr.byte1,
ih->daddr.byte2,
ih->daddr.byte3,
ih->daddr.byte4,
dport);*/
auto qqHeader = (QQHeader*)((u_char*)uh + sizeof(u_short)*4);
if (qqHeader->Head != 0x02)return;
DWORD qqNumber = qqHeader->QQNumber;
auto newIP = new ip_address();
newIP->ul = ih->daddr.ul;
CQQSniffer::sQQIPTable[qqNumber] = shared_ptr<ip_address>(newIP);
}
能抓到包但是和wireshark的内容不一样 我这么计算qq包头位置是正确的么?