libpcap

typedef struct pcap_if pcap_if_t;
/*
 * Item in a list of interfaces.
 */
struct pcap_if {
    struct pcap_if *next;
    char *name;        /* name to hand to "pcap_open_live()" */
    char *description;    /* textual description of interface, or NULL */
    struct pcap_addr *addresses;
    bpf_u_int32 flags;    /* PCAP_IF_ interface flags */
};
  • 說明:該結構體是一個Interface的鏈結串列結構。
  • 成員:
    • next:指向下一個Interface指標。
    • name:Interface名稱。
    • description:Interface描述。
    • addresses:Interface的地址結構。
    • flags:Interface的標記。


/*
 * Representation of an interface address.
 */
struct pcap_addr {
    struct pcap_addr *next;
    struct sockaddr *addr;        /* address */
    struct sockaddr *netmask;    /* netmask for that address */
    struct sockaddr *broadaddr;    /* broadcast address for that address */
    struct sockaddr *dstaddr;    /* P2P destination address for that address */
};
  • 說明:用來描述Interface的地址,也是一個鏈結串列結構。
  • 成員:
    • next:指向下一個地址指標
    • addr:地址
    • netmask:遮罩
    • broadaddr:廣播地址
    • dstaddr:p2p的目的地址


/*
 * We put all the stuff used in the read code path at the beginning,
 * to try to keep it together in the same cache line or lines.
 */
struct pcap {
    /*
     * Method to call to read packets on a live capture.
     */
    read_op_t read_op;

    /*
     * Method to call to read to read packets from a savefile.
     */
    int (*next_packet_op)(pcap_t *, struct pcap_pkthdr *, u_char **);

#ifdef WIN32
    ADAPTER *adapter;
    LPPACKET Packet;
    int nonblock;
#else
    int fd;
    int selectable_fd;
#endif /* WIN32 */

    /*
     * Read buffer.
     */
    int bufsize;
    u_char *buffer;
    u_char *bp;
    int cc;

    int break_loop;        /* flag set to force break from packet-reading loop */

    void *priv;        /* private data for methods */

    int swapped;
    FILE *rfile;        /* null if live capture, non-null if savefile */
    int fddipad;
    struct pcap *next;    /* list of open pcaps that need stuff cleared on close */

    /*
     * File version number; meaningful only for a savefile, but we
     * keep it here so that apps that (mistakenly) ask for the
     * version numbers will get the same zero values that they
     * always did.
     */
    int version_major;
    int version_minor;

    int snapshot;
    int linktype;        /* Network linktype */
    int linktype_ext;       /* Extended information stored in the linktype field of a file */
    int tzoff;        /* timezone offset */
    int offset;        /* offset for proper alignment */
    int activated;        /* true if the capture is really started */
    int oldstyle;        /* if we're opening with pcap_open_live() */

    struct pcap_opt opt;

    /*
     * Place holder for pcap_next().
     */
    u_char *pkt;

    /* We're accepting only packets in this direction/these directions. */
    pcap_direction_t direction;

    /*
     * Flags to affect BPF code generation.
     */
    int bpf_codegen_flags;

    /*
     * Placeholder for filter code if bpf not in kernel.
     */
    struct bpf_program fcode;

    char errbuf[PCAP_ERRBUF_SIZE + 1];
    int dlt_count;
    u_int *dlt_list;
    int tstamp_type_count;
    u_int *tstamp_type_list;
    int tstamp_precision_count;
    u_int *tstamp_precision_list;

    struct pcap_pkthdr pcap_header;    /* This is needed for the pcap_next_ex() to work */

    /*
     * More methods.
     */
    activate_op_t activate_op;
    can_set_rfmon_op_t can_set_rfmon_op;
    inject_op_t inject_op;
    setfilter_op_t setfilter_op;
    setdirection_op_t setdirection_op;
    set_datalink_op_t set_datalink_op;
    getnonblock_op_t getnonblock_op;
    setnonblock_op_t setnonblock_op;
    stats_op_t stats_op;

    /*
     * Routine to use as callback for pcap_next()/pcap_next_ex().
     */
    pcap_handler oneshot_callback;

#ifdef WIN32
    /*
     * These are, at least currently, specific to the Win32 NPF
     * driver.
     */
    setbuff_op_t setbuff_op;
    setmode_op_t setmode_op;
    setmintocopy_op_t setmintocopy_op;
    getadapter_op_t getadapter_op;
#endif
    cleanup_op_t cleanup_op;
};
typedef struct pcap pcap_t;
  • 說明:這個結構體就是pcap_t,我們不能直接使用結構體內的成員,必須透過libpcap提供的其他函數操作。


/*
 * Generic per-packet information, as supplied by libpcap.
 *
 * The time stamp can and should be a "struct timeval", regardless of
 * whether your system supports 32-bit tv_sec in "struct timeval",
 * 64-bit tv_sec in "struct timeval", or both if it supports both 32-bit
 * and 64-bit applications.  The on-disk format of savefiles uses 32-bit
 * tv_sec (and tv_usec); this structure is irrelevant to that.  32-bit
 * and 64-bit versions of libpcap, even if they're on the same platform,
 * should supply the appropriate version of "struct timeval", even if
 * that's not what the underlying packet capture mechanism supplies.
 */
struct pcap_pkthdr {
    struct timeval ts;    /* time stamp */
    bpf_u_int32 caplen;    /* length of portion present */
    bpf_u_int32 len;    /* length this packet (off wire) */
};
  • 說明:封包的資訊表頭,這裡並不是指封包協定的表頭。
  • 成員:
    • ts:抓到封包的時間戳(Timestamp)。
    • caplen:封包擷取大小。
    • len:封包大小。


/*
 * As returned by the pcap_stats()
 */
struct pcap_stat {
    u_int ps_recv;        /* number of packets received */
    u_int ps_drop;        /* number of packets dropped */
    u_int ps_ifdrop;    /* drops by interface -- only supported on some platforms */
#ifdef WIN32
    u_int bs_capt;        /* number of packets that reach the application */
#endif /* WIN32 */
};
  • 說明:目前狀態結構。
  • 成員:
    • ps_recv:目前接收了多少封包。
    • ps_drop:因為核心空間不夠所被丟棄的封包數量。
    • ps_ifdrop:被Interface或是本身的驅動程式丟棄的封包數量。
    • bs_capt:到達應用層的封包數量。

results matching ""

    No results matching ""