Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Using packet capture libpcap be reconciliation package in Ubuntu 14.04 64 bits     - Android Studio and Git Git configuration file status (Linux)

- Oracle through the alarm log view and inspect the main library, physical and snapshot standby database (Database)

- CentOS 6.6 install Oracle 11gR2 database (Database)

- PHP loop reference caused strange problems (Programming)

- MySQL uses Federate engine mapping table to achieve operation of the local remote operation table (Database)

- Find details block device with Linux blkid command (Linux)

- Linux System Getting Started Tutorial: How to Force Change your password at next logon Linux (Linux)

- How Linux Log Analysis (Linux)

- Teamviewer not start in Linux (Linux)

- After Pydev installation, Eclipse does not display solutions (Linux)

- Linux Getting Started tutorial: 3D effects and beautify your desktop (Linux)

- Redhat 5 prohibit IPv6 (Linux)

- Binary tree traversal recursive and non-recursive (cyclic) traversal achieve (Programming)

- Sorting Algorithm (1) Quick Sort C ++ implementation (Programming)

- Try to use Lets Encrypt (Linux)

- Oracle users to automatically increase the partition table (Database)

- Talking about the shortcomings and deficiencies of the firewall (Linux)

- The free command in Linux (Linux)

- Five kinds of IO Model under Linux (Programming)

- iptraf: A Practical TCP / UDP network monitoring tools (Linux)

  Using packet capture libpcap be reconciliation package in Ubuntu 14.04 64 bits
  Add Date : 2018-11-21      
  In order to develop needed, I decided to use the latest libpcap source packages installed. Install libpcap library under Unix environment, we need
c compiler, flex, bison, etc., when installing Ubuntu system without these packages. Install flex needs m4 compiler environment, otherwise it will prompt "GNU M4 is required" error.

1. Install the system dependencies
sudo apt-get install gcc libc6-dev
sudo apt-get install m4
sudo apt-get install flex bison

2. Download and install libpcap source
Download the latest version from the official website http://www.tcpdump.org/ libpcap
cd / usr / local / src
wget http://www.tcpdump.org/release/libpcap-1.5.3.tar.gz
tar zxvf libpcap-1.5.3.tar.gz
cd libpcap-1.5.3
sudo make install

3. Install developers need to use dependent libraries
sudo apt-get install libpcap-dev

4. Test libpcap small program named pcap_demo.c, to test environment is configured correctly
#include < pcap.h>
#include < stdio.h>

int main (int argc, char * argv [])
pcap_t * handle; / * Session handle * /
char * dev; / * The device to sniff on * /
char errbuf [PCAP_ERRBUF_SIZE]; / * Error string * /
struct bpf_program fp; / * The compiled filter * /
char filter_exp [] = "port 80"; / * The filter expression * /
bpf_u_int32 mask; / * Our netmask * /
bpf_u_int32 net; / * Our IP * /
struct pcap_pkthdr header; / * The header that pcap gives us * /
const u_char * packet; / * The actual packet * /

/ * Define the device * /
dev = pcap_lookupdev (errbuf);
if (dev == NULL) {
fprintf (stderr, "Could not find default device:% s \ n", errbuf);
return (2);
/ * Find the properties for the device * /
if (pcap_lookupnet (dev, & net, & mask, errbuf) == -1) {
fprintf (stderr, "Could not get netmask for device% s:% s \ n", dev, errbuf);
net = 0;
mask = 0;
/ * Open the session in promiscuous mode * /
handle = pcap_open_live (dev, BUFSIZ, 1, 1000, errbuf);
if (handle == NULL) {
fprintf (stderr, "Could not open device% s:% s \ n", dev, errbuf);
return (2);
/ * Compile and apply the filter * /
if (pcap_compile (handle, & fp, filter_exp, 0, net) == -1) {
fprintf (stderr, "Could not parse filter% s:% s \ n", filter_exp, pcap_geterr (handle));
return (2);
if (pcap_setfilter (handle, & fp) == -1) {
fprintf (stderr, "Could not install filter% s:% s \ n", filter_exp, pcap_geterr (handle));
return (2);
/ * Grab a packet * /
packet = pcap_next (handle, & header);
/ * Print its length * /
printf ( "Jacked a packet with length of [% d] \ n", header.len);
/ * And close the session * /
pcap_close (handle);
return (0);
Start the compilation:
gcc -g pcap_demo.c -o pcap_demo -lpcap

5. Attention
5.1. Note the use of root user to perform, or for ordinary users to use sudo to elevate privileges
sudo pcap_demo
5.2. For some PCAP API functions must be fully understood, and always update the document, such as pcap_loop this function, the following is the official website of the man page address
5.3, some of the functions of understanding:
Pcap_loop and pcap_dispatch difference, the former does not time out to return, but will try to read more packets until an error occurred before returning. Normal return value is 0, otherwise it is negative. I am currently needs a continuous packet capture, so you should use pcap_loop. pcap_dispatch internal calls pcap_loop. pcap_loop The fourth parameter is useful in some applications, but under normal circumstances is set to NULL. This definition is useful, for example, if you want to give pcap_loop callback function then pass some additional parameters, you can use u_char pointer type (string), successor to the callback function to do a specific manner. pcap_dispatch only treatment it receives the first packet.
From pcap_loop return, we should explicitly call pcap_close to close pcap to release resources. To represent uninterrupted capture in pcap_loop should try to use -1 instead of 0. The explanation about where the callback function, which has three parameters. The first parameter is the user pcap_loop last parameter, which represents a less important information can be ignored, and the second parameter is the header information packets containing timestamp and length, and the third parameter is the packet, starting from the link layer header, it will not be released in the callback function, but when the callback returns not pack these data again legitimate, so you want to use them again, please copy them beforehand.

The following further in-depth look at the definition of pcap_loop the callback function:
First, note that the function's return value type is void, it is entirely logical, because pcap_loop do not know how to handle the callback function's return value is the return value came to him does not make sense. Then is the first argument to the callback function corresponds pcap_loop last parameter, whether you give the last parameter passed pcap_loop what value when the callback function is called, it will be as the first argument passed to the callback function, the second argument is the pcap header, it contains some information: capture time, including how much, etc. this structure is defined in pcap.h as follows
struct pcap_pkthdr {
struct timeval ts; / * time stamp * /
bpf_u_int32 caplen; / * length of portion present * /
bpf_u_int32 len; / * length this packet (off wire) * /

Ethereal There are two ways, one is grasping every time a package, and the other is a cyclic packet capture, catch into circulation a limited number of packages, or capture an infinite loop. Wherein each grab a package uses pcap_next function. pcap_next () indicates that only fetch a packet, its first parameter is the session handle, the second argument is the header, the return value is a data packet. Function prototype is as follows
u_char * pcap_next (pcap_t * p, struct pcap_pkthdr * h)
Another way to capture the cycle is to use pcap_loop and callback functions, see the code sample I put together two examples.

5.4. Setting LAN equipment, there are two methods, the first method is to direct the user to specify the name of the network card (available must be true), the command line parameters passed in, for example,

int main (int argc, char * argv [])
char * dev = argv [1];

printf ( "Device:% s \ n", dev);
return (0);
Another method is to allow yourself to detect pcap network card device, if an error occurs, will give an error message, but this method in many cases do not fly, this improvement is, let pcap detect all network cards, so users choose to use that area network packet capture device, see the following code
#include < stdio.h>
#include < pcap.h>

int main (int argc, char * argv [])
char * dev, errbuf [PCAP_ERRBUF_SIZE];

dev = pcap_lookupdev (errbuf);
if (dev == NULL) {
fprintf (stderr, "Could not find default device:% s \ n", errbuf);
return (2);
printf ( "Device:% s \ n", dev);
return (0);

5.5 For we caught a packet, its structure, can be divided into Ethernet header, IP header, TCP header, etc., respectively 14,20,20 bytes, IP header at least 20 bytes, TCP header also at least 20 bytes.
data = recv_data [42:] The reason for this is, recv_data caught are raw packet, tcp / ip layer 5 is divided, a udp packet, Ethenet_II Frame with 14Bytes head will then be 20 words Baotou section of ip, udp header and 8 bytes, so the offset is udp 42 after the actual content
After tcp packet header size is 20Bytes, so its actual contents at offset 54

5.6. Data packet unpacking and group packages, will need to define common data structures Ethernet header, IP header, TCP header, UDP header, and we do not need to redefine these heads, a direct reference to the relevant header file definition it.
#include < netinet / in.h>
#include < netinet / if_ether.h>
#include < netinet / ip.h>
#include < netinet / tcp.h>
#include < netinet / udp.h>
#include < netinet / ip_icmp.h>

5.6 our current program usually requires the following parameter information from the command line successor:
wlan0 to be capture card name
tcp port 80 filter expression
10000 or -1 capture mode, grasping a specified number of packages (this is 10 000 packages), or go on an unlimited Ethereal
Of course, these parameters, you can also write to die in the program.

[1] .http: //www.tcpdump.org/pcap.html
- Ubuntu rights management common commands (Linux)
- To teach you how to safely send mail (Linux)
- Linux (Ubuntu) How iptables port mapping (Server)
- Linux Getting Started tutorial: Experience VirtualBox Virtual Machine chapter (Linux)
- 30 Practical Linux system administrators will learn the command (Linux)
- How to override the plain text files and directories soft connection in linux (Linux)
- iOS in the event delivery and the responder chain (Programming)
- How to manage your to-do list with the Go For It on Ubuntu (Linux)
- swap space is insufficient cause OOM kill MySQL Case (Database)
- Windows Remote Desktop Management CentOS 6.4 (Linux)
- Security matters and practical Linux System (Linux)
- CentOS 6.5 installation Python3.0 (Linux)
- Heartbeat cluster components Overview (Server)
- Linux environmental performance data acquisition system (Linux)
- Linux Basic Course: Install the software from source code (Linux)
- Linux Firewall Builder shorewall (Linux)
- Android Dynamic efficiency articles: a brilliant Loading Analysis and Implementation (Programming)
- Keepalived achieve high availability Nginx Reverse Proxy (Server)
- Linux monitoring tools introduced series --smem (Server)
- Ubuntu 10.04 to Ubuntu 10.10 Upgrade (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.