First, download the libpcap package first.http://www.tcpdump.org/#latest-release

Then install, after the installation is complete, go to the tests folder of the installation root directory, compile and run findalldevstest.c (compile with -lpcap) to see if all network devices are found.

Second, download wireshark to observe the various functions of the capture software

Third, familiar with the working principle of libpcap:

Fourth, understand the basic process of libpcap capture:

Five, programming implementation

To be continued. . .

 

PS: Organize the data type definitions commonly used by libpcap

• Type definition of libpcap:

0)、typedef int bpf_int32

1)、typedef u_int bpf_u_int32

32bit typeless shaping;

2）、typedef pcap pcap_t

Descriptor of an open capture instance (an open capture instance descriptor?) This structure is opaque to the user.

3）、typedef pcap_dumper pcap_dumper_t

Libpcap saves the descriptor of the file.

4）、typedef pcap_if pcap_if_t

An element of a network card list;

5）、typedef pcap_addr pcap_addr_t

a representation of the network card address;

6）、typedef void (*pcap_handler)(u_char *args, const struct pcap_pkthdr *header,    const u_char *packet);

Where agrs is the fourth parameter passed from the pcap_dispatch() function. Generally, our own package capture program does not need to provide it, it is always NULL; header points
Pcap_pkthdr structure, which is located in front of the real physical frame to eliminate differences in support of different link layers; packet points to the physical frame of the captured message.

 

• Libpcap structure

The data structure definitions necessary for Libpcap library functions are mainly contained in the two header files pcap.h and pcap-int.h.

1) The pcap structure is defined in the pcap-int.h header file:
The members that need to be involved in programming are: int fd; open the device descriptor; u_char *buffer; is the buffer pointer to the captured data
struct pcap
{
Int fd; /* file description word, actually socket * /

Int selectable_fd; /* On sockets, I/O reuse type functions such as select() and poll() can be used */

Int snapshot; /* The maximum length of the capture packet expected by the user */

Int linktype; /* device type */

Int tzoff; /* time zone location, not actually used */

Int offset; /* boundary alignment offset */

Int break_loop; /* Forces a flag to jump out of the read packet loop */

Struct pcap_sf sf; /* The relevant configuration data structure for saving the data packet to the file */

Struct pcap_md md; /* is described as follows */

   

Int bufsize; /* length of the read buffer */

U_char buffer; /* read buffer pointer */

    u_char *bp;

    int cc;

    u_char *pkt;

/* Function pointers for related abstract operations, which ultimately point to handlers for specific operating systems */

    int   (*read_op)(pcap_t *, int cnt, pcap_handler, u_char *);

    int   (*setfilter_op)(pcap_t *, struct bpf_program *);

    int   (*set_datalink_op)(pcap_t *, int);

    int   (*getnonblock_op)(pcap_t *, char *);

    int   (*setnonblock_op)(pcap_t *, int, char *);

    int   (*stats_op)(pcap_t *, struct pcap_stat *);

    void (*close_op)(pcap_t *);

/* If the BPF filter code cannot be executed in the kernel, save it and execute it in user space */

    struct bpf_program fcode;

/* function call error message buffer */

    char errbuf[PCAP_ERRBUF_SIZE + 1];

   

/* Number of data link types supported by the current device */

    int dlt_count;

/* The data link type number list that can be changed is not used under linux */

    int *dlt_list;

/* Packet custom header, description of packet capture time, capture length, real length [pcap.h] */

    struct pcap_pkthdr pcap_header;  

};

 

/* Contains the interface, state, and filter information for the capture handle [pcap-int.h] */

struct pcap_md {

/* Capture state structure [pcap.h] */

struct pcap_stat stat; 

Int use_bpf; /* If 1, it means using kernel filtering*/

    u_long    TotPkts;

U_long TotAccepted; /* Number of received packets */

U_long TotDrops; /* Number of dropped packets */

Long TotMissed; /* Number of packets dropped by the interface while filtering is in progress */

Long OrigMissed; /*Number of packets discarded by the interface before filtering is performed*/

#ifdef linux

Int sock_packet; /* If 1, it means SOCK_PACKET mode using 2.0 kernel */

Int timeout; /* pcap_open_live() function timeout return time */

Int clear_promisc; /* Set the interface to non-promiscuous mode when closed */

Int cooked; /* Use SOCK_DGRAM type */

Int lo_ifindex; /* loop device index number */

Char *device; /* interface device name */

   

/* Open the pcap_t list of sockets of type SOCK_PACKET in promiscuous mode*/

struct pcap *next;      

#endif

};

 

(2) bpf_program structure
 
This structure is used in the pcap_compile() function and is defined in the bpf.h header file.

/* [pcap-bpf.h] */

struct bpf_program {

U_int bf_len; /* Number of predicate instructions in BPF code */

Struct bpf_insn *bf_insns; /* first predicate judgment instruction */

};

   

/* Predicate judgment instruction structure */

struct bpf_insn {

u_short    code;

u_char    jt;

u_char    jf;

bpf_int32 k;

};

 (3)

/usr/include/net/bpf.h

/*
* Structure prepended to each packet.
*/

Each time the kernel filter outputs a packet, 20 bytes of data will be added before the output data. This is struct bpf_hdr
struct bpf_hdr
{
    struct timeval bh_tstamp;   /* time stamp                 */
Bpf_u_int32 bh_caplen; /* length of captured portion data length*/
Bpf_u_int32 bh_datalen; /* original length of packet actual package length */
    u_short        bh_hdrlen;   /* length of bpf header (this struct
                                   plus alignment padding)    */
};

(4) pcap_stat structure
Calling the function pcap_stats() can return a structure
struct pcap_stat {
        u_int ps_recv; /* number of packets received */
        u_int ps_drop; /* number of packets dropped */
        u_int ps_ifdrop; /* drops by interface XXX not yet supported */
};

 

5）、

Struct pcap_addr: NIC address description
{
Pcap_addr *next; if not empty, a pointer to an element in the linked list; empty means the last element in the linked list
Sockaddr *addr; pointer to the structure of the sockaddr containing an address
Sockaddr *netmask; if non-empty, points to a structure containing a netmask relative to the address pointed to by addr
Sockaddr *broadaddr; if not null, points to a structure containing a netmask relative to the address pointed to by addr
Sockaddr *dstaddr; If non-empty, points to a destination address relative to the source address pointed to by addr, or null if the network does not support peer-to-peer communication
};

6), dump file format

The first is the Dump file header.

struct pcap_file_header {
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;
bpf_int32 thiszone; /* gmt to local correction */
bpf_u_int32 sigfigs; /* accuracy of timestamps */
bpf_u_int32 snaplen; /* max length saved portion of each pkt */
bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */

};

Then the header and data for each package

Pcap_pkthdr structure
 
/usr/include/pcap.h

/*
* Each packet in the dump file is prepended with this generic header.
* This gets around the problem of different headers for different
* packet interfaces.
*/
/* The custom header is also used to save the packet to a file */

struct pcap_pkthdr

{

Struct timeval ts; /* capture timestamp */

Bpf_u_int32 caplen; /* Capture the length of the packet */

Bpf_u_int32 len; /* The true length of the packet */

}

 

/* Single packet structure containing packet meta information and data information */

struct singleton [pcap.c]

{

Struct pcap_pkthdr hdr; /* libpcap custom packet header */

Const u_char * pkt; /* points to the captured network data */

};

 

 

7), pcap_if (libpcap custom interface information list [pcap.h])

 

struct pcap_if

{

struct pcap_if *next;

Char *name; /* interface device name */

Char *description; /* interface description */

          

/* interface IP address, address mask, broadcast address, destination address */

struct pcap_addr addresses;

Bpf_u_int32 flags; /* interface parameters */

};