libpcap

之前在windows上开发的抓包工具，需要移植到linux下。 在windows下抓包工具winpcap，对应在linux下为 libpcp , 官网下载QT安装包，可以双击安装 在软件中心添加源sourcelist 安装 apt-get install flex Bison 下载最新libpcap，解压，在工作目录下 ./configure make make install 至此 pcap安装到了/usr/local/lib 和usr/local/include路径 在.pro文件中添加LIBS += /usr/local/lib/libpcap.a，添加库文件 添加头文件#include "pcap.h"，可调用相关API 参考资料： libpacp 参考手册 https://blog.csdn.net/w1242245/article/details/24498233 转载请标明出处: QT+libpcap Unbuntu16.04 文章来源: QT+libpcap Unbuntu16.04

概述 libpcap 是一个 网络数据包捕获函数库 ，功能非常强大，Linux 下著名的 tcpdump 就是以它为基础的。 libpcap主要的作用 1）捕获各种数据包，列如：网络流量统计。 2）过滤网络数据包，列如：过滤掉本地上的一些数据，类似防火墙。 3）分析网络数据包，列如：分析网络协议，数据的采集。 4）存储网络数据包，列如：保存捕获的数据以为将来进行分析。 libpcap 的安装 libpcap 的抓包框架 pcap_lookupdev() ：函数用于查找网络设备，返回可被 pcap_open_live() 函数调用的网络设备名指针。 pcap_lookupnet() ：函数获得指定网络设备的网络号和掩码。 pcap_open_live() ： 函数用于打开网络设备，并且返回用于捕获网络数据包的数据包捕获描述字。对于此网络设备的操作都要基于此网络设备描述字。 pcap_compile() ： 函数用于将用户制定的过滤策略编译到过滤程序中。 pcap_setfilter() ：函数用于设置过滤器。 pcap_loop() ：函数 pcap_dispatch() 函数用于捕获数据包，捕获后还可以进行处理，此外 pcap_next() 和 pcap_next_ex() 两个函数也可以用来捕获数据包。 pcap_close() ：函数用于关闭网络设备，释放资源。 利用

I've capture a pcap file and display it on wireshark. I want to analysis those udp packets with 'Length' column equals to 443. On wireshark, I try to found what's the proper filter. udp && length 443 # invalid usage udp && eth.len == 443 # wrong result udp && ip.len == 443 # wrong result By the way, could the wireshark's filter directly apply on libpcap's filter? All these workable on wireshark's filter frame.len==243 <- I use this ip.len=229 udp.length==209 data.len=201 来源： https://stackoverflow.com/questions/10022710/set-a-filter-of-packet-length-in-wireshark

When capturing network traffic for debugging, there seem to be two common approaches: Use a raw socket. Use libpcap. Performance-wise, is there much difference between these two approaches? libpcap seems a nice compatible way to listen to a real network connection or to replay some canned data, but does that feature set come with a performance hit? The answer is intended to explain more about the libpcap. libpcap uses the PF_PACKET to capture packets on an interface. Refer to the following link. https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt From the above link In Linux 2

I want to use libpcap to capture IP packet, and the I want to parse the IP header and tcp header. ` there are IP header and TCP header structures in <netinet/ip.h> and <netinet/tcp.h> IP header is relatively easier to parse, but for TCP header,since there are tcp options, the common options are MSS, SACK(selective acknowledgement), timestamp, window scaling and NOP. I want to have a function parse_pkt(): struct tcphdr tcp_hdr; struct ip ip_hdr; parse_pkt(u_char *pcap_packet, struct ip* p_ip, struct tcp* p_tcp); so after calling the function, if I want to know the source ip address, sequence

I am writing fairly simply pcap "live" capture engine, however the packet processing callback implementation for pcap_dispatch should take relatively long time for processing. Does pcap run every "pcap_handler" callback in separate thread? If yes, is "pcap_handler" thread-safe, or should the care be taken to protect it with critical sections? Alternatively, does pcap_dispatch callback works in serial fashion? E.g. is "pcap_handler" for the packet 2 called only after "pcap_handler" for packet 1 is done? If so, is there an approach to avoid accumulating latency? Thanks, -V Pcap basically works

My application is running on CentOS 5.5 I need to send raw packets using libpcap API: pcap_inject() or pcap_sendpacket() To the specific IP address How can I determinate MAC address belongs to a specific target? It looks like what you want is ioctl and SIOCGARP . That should let you query your arp cache. I'm assuming that the host in question is on your local network or all you're going to get is your router. You can also read from /proc/net/arp, which seems easier. You'll need to get an arp request returned first but you'll be doing that whether your tool does it or some third-party makes the

I'm using the pcap C library to read packets. Currently, I use the following to check and see whether a flag in the struct tcphdr (this struct is defined in the netinet/tcp.h library) is set: struct tcphdr *tcp = .... if(tcp->th_flags & TH_SYN) { //SYN FLAG IS SET? } Will this always work for checking if a particular flag is set in the struct? Or is there a better way? Would greatly appreciate any advice/tips :) That looks fine to me. TH_SYN is a single bit, so that expression will be true (nonzero) if that bit is set in th_flags . 来源： https://stackoverflow.com/questions/35388217/how-to-check