在 Windows 中使用 C 进行数据包捕获
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8249566/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Packet capturing with C in Windows
提问by Medardas
I'm fairly new to C programming language and packet capturing. Right now I'm writing a simple program (using Visual Studio 2010 express) to decode a packet trace capture file. I read a number of guides, but most of them are for linux/unix. I managed to include wpcap libraries, but now i need structs defined in the system that are intended to make decoding Internet packet headers easier.
我对 C 编程语言和数据包捕获相当陌生。现在我正在编写一个简单的程序(使用 Visual Studio 2010 express)来解码数据包跟踪捕获文件。我阅读了许多指南,但其中大部分是针对 linux/unix 的。我设法包含了 wpcap 库,但现在我需要在系统中定义的结构,旨在使解码 Internet 数据包标头更容易。
struct ether_header in /usr/include/sys/ethernet.h
struct in_addr in /usr/include/netinet/in.h
struct ip in /usr/include/netinet/ip.h
struct udphdr in /usr/include/netinet/udp.h
struct tcphdr in /usr/include/netinet/tcp.h
Up until now I understood that winsock2 must be included for in.h, but what about ethernet, ip, tcp/udp? What should i do to manage decoding related to these headers? is it same winsocket? if it is, where could i find simple explanation of what methods to use?
直到现在我才知道 in.h 必须包含 winsock2,但是以太网、ip、tcp/udp 呢?我应该怎么做来管理与这些标头相关的解码?是同一个winsocket吗?如果是,我在哪里可以找到有关使用哪些方法的简单说明?
OS: Win 7
操作系统:Win 7
回答by
Actually, most of those headers were originally intended to make writing the BSD kernel networking stack easier, not making decoding packet headers in sniffers easier; they're present for user programs in part for historical reasons.
实际上,这些头中的大部分最初是为了让编写 BSD 内核网络堆栈更容易,而不是让嗅探器中的数据包头更容易解码;它们存在于用户程序中,部分原因是历史原因。
I'd suggest getting the source to recent versions of tcpdump or WinDump and making your own copies of the corresponding header files in it; the ether.h, ip.h, udp.h, and tcp.hfiles from tcpdump/WinDump are taken from BSD-derived operating systems so that tcpdump/WinDump don't have to depend on the operating system supplying those headers or on it supplying particular versions of those headers (not all of the operating systems on which tcpdump/WinDump can run supply versions that work well with tcpdump/WinDump, with some of them requiring special hackery for tcpdump and some others not supplying them at all - Windows, for example, doesn't supply them at all, as you've discovered).
我建议获取最新版本的 tcpdump 或 WinDump 的源代码,并在其中制作您自己的相应头文件的副本;的ether.h,ip.h,udp.h,并tcp.h从tcpdump的文件/ WinDump的是从BSD衍生操作系统采取使tcpdump的/ WinDump的不必依赖于操作系统提供的头文件或在其上提供的头文件的特定版本上(不是所有的tcpdump/WinDump 可以在其上运行的操作系统提供与 tcpdump/WinDump 配合良好的版本,其中一些需要对 tcpdump 进行特殊处理,而另一些则根本不提供它们 - 例如,Windows 根本不提供它们,正如你所发现的)。
You can get the tcpdump source from tcpdump.org, and the WinDump source from winpcap.org(look under "WinDump 3.9.5 Source Code Download"). The WinDump source is in a ZIP file rather than a gzipped tar file, so it might be easier to unpack on Windows, and might have Windows CR-LF line endings rather than UN*X LF line endings, so you might want to try the WinDump versions.
您可以从tcpdump.org获取 tcpdump 源代码,从winpcap.org获取WinDump 源代码(查看“WinDump 3.9.5 源代码下载”)。WinDump 源文件位于 ZIP 文件中,而不是 gzipped tar 文件中,因此在 Windows 上解压缩可能更容易,并且可能具有 Windows CR-LF 行结尾而不是 UN*X LF 行结尾,因此您可能想要尝试WinDump 版本。
回答by ConcernedOfTunbridgeWells
Even though you're working on Windows, as you're using libpcap you might get some mileage from Unix Network Programming vol. 1and TCP/IP illustrated Vol. 1.You can buy these new or secondhand off Amazon Marketplace. This will explain the headers and other related items.
即使您在 Windows 上工作,当您使用 libpcap 时,您也可能从Unix Network Programming vol. 1和TCP/IP 说明卷。1.您可以从亚马逊商城购买这些新的或二手的。这将解释标题和其他相关项目。
回答by dashesy
I only include these (in this order)
我只包括这些(按此顺序)
#include <winsock2.h>
#include <windows.h>
