dud*_*bro 2 c macos wireless pcap libpcap
我正在通过pcap和无线工作.根据我之前的问题回复发布的示例,我试图从无线帧中提取mac地址.我已经为radiotap头和基本管理框架创建了结构.出于某种原因,当涉及到尝试输出mac地址时,我打印出错误的数据.当我与wireshark比较时,我不明白为什么无线电数据打印正确但mac地址不正确.当我查看数据包并比较我捕获的数据包时,我看不到wireshark显示的十六进制转储中的任何额外填充.我有点熟悉c但不是专家所以也许我没有正确使用指针和结构有人可以帮助告诉我我做错了什么?
谢谢,昆汀
// main.c
// MacSniffer
//
#include <pcap.h>
#include <string.h>
#include <stdlib.h>
#define MAXBYTES2CAPTURE 65535
#ifdef WORDS_BIGENDIAN
typedef struct frame_control
{
unsigned int subtype:4; /*frame subtype field*/
unsigned int protoVer:2; /*frame type field*/
unsigned int version:2; /*protocol version*/
unsigned int order:1;
unsigned int protected:1;
unsigned int moreDate:1;
unsigned int power_management:1;
unsigned int retry:1;
unsigned int moreFrag:1;
unsigned int fromDS:1;
unsigned int toDS:1;
}frame_control;
struct ieee80211_radiotap_header{
u_int8_t it_version;
u_int8_t it_pad;
u_int16_t it_len;
u_int32_t it_present;
u_int64_t MAC_timestamp;
u_int8_t flags;
u_int8_t dataRate;
u_int16_t channelfrequency;
u_int16_t channFreq_pad;
u_int16_t channelType;
u_int16_t channType_pad;
u_int8_t ssiSignal;
u_int8_t ssiNoise;
u_int8_t antenna;
};
#else
typedef struct frame_control
{
unsigned int protoVer:2; /* protocol version*/
unsigned int type:2; /*frame type field (Management,Control,Data)*/
unsigned int subtype:4; /* frame subtype*/
unsigned int toDS:1; /* frame coming from Distribution system */
unsigned int fromDS:1; /*frame coming from Distribution system */
unsigned int moreFrag:1; /* More fragments?*/
unsigned int retry:1; /*was this frame retransmitted*/
unsigned int powMgt:1; /*Power Management*/
unsigned int moreDate:1; /*More Date*/
unsigned int protectedData:1; /*Protected Data*/
unsigned int order:1; /*Order*/
}frame_control;
struct ieee80211_radiotap_header{
u_int8_t it_version;
u_int8_t it_pad;
u_int16_t it_len;
u_int32_t it_present;
u_int64_t MAC_timestamp;
u_int8_t flags;
u_int8_t dataRate;
u_int16_t channelfrequency;
u_int16_t channelType;
int ssiSignal:8;
int ssiNoise:8;
};
#endif
struct wi_frame {
u_int16_t fc;
u_int16_t wi_duration;
u_int8_t wi_add1[6];
u_int8_t wi_add2[6];
u_int8_t wi_add3[6];
u_int16_t wi_sequenceControl;
// u_int8_t wi_add4[6];
//unsigned int qosControl:2;
//unsigned int frameBody[23124];
};
void processPacket(u_char *arg, const struct pcap_pkthdr* pkthdr, const u_char* packet)
{
int i= 0, *counter = (int *) arg;
struct ieee80211_radiotap_header *rh =(struct ieee80211_radiotap_header *)packet;
struct wi_frame *fr= (struct wi_frame *)(packet + rh->it_len);
u_char *ptr;
//printf("Frame Type: %d",fr->wi_fC->type);
printf("Packet count: %d\n", ++(*counter));
printf("Received Packet Size: %d\n", pkthdr->len);
if(rh->it_version != NULL)
{
printf("Radiotap Version: %d\n",rh->it_version);
}
if(rh->it_pad!=NULL)
{
printf("Radiotap Pad: %d\n",rh->it_pad);
}
if(rh->it_len != NULL)
{
printf("Radiotap Length: %d\n",rh->it_len);
}
if(rh->it_present != NULL)
{
printf("Radiotap Present: %c\n",rh->it_present);
}
if(rh->MAC_timestamp != NULL)
{
printf("Radiotap Timestamp: %u\n",rh->MAC_timestamp);
}
if(rh->dataRate != NULL)
{
printf("Radiotap Data Rate: %u\n",rh->dataRate);
}
if(rh->channelfrequency != NULL)
{
printf("Radiotap Channel Freq: %u\n",rh->channelfrequency);
}
if(rh->channelType != NULL)
{
printf("Radiotap Channel Type: %06x\n",rh->channelType);
}
if(rh->ssiSignal != NULL)
{
printf("Radiotap SSI signal: %d\n",rh->ssiSignal);
}
if(rh->ssiNoise != NULL)
{
printf("Radiotap SSI Noise: %d\n",rh->ssiNoise);
}
ptr = fr->wi_add1;
int k= 6;
printf("Destination Address:");
do{
printf("%s%X",(k==6)?" ":":",*ptr++);
}
while(--k>0);
printf("\n");
ptr = fr->wi_add2;
k=0;
printf("Source Address:");
do{
printf("%s%X",(k==6)?" ":":",*ptr++);
}while(--k>0);
printf("\n");
ptr = fr->wi_add3;
k=0;
do{
printf("%s%X",(k==6)?" ":":",*ptr++);
}
while(--k>0);
printf("\n");
/* for(int j = 0; j < 23124;j++)
{
if(fr->frameBody[j]!= NULL)
{
printf("%x",fr->frameBody[j]);
}
}
*/
for (i = 0;i<pkthdr->len;i++)
{
if(isprint(packet[i +rh->it_len]))
{
printf("%c",packet[i + rh->it_len]);
}
else{printf(".");}
//print newline after each section of the packet
if((i%16 ==0 && i!=0) ||(i==pkthdr->len-1))
{
printf("\n");
}
}
return;
}
int main(int argc, char** argv)
{
int count = 0;
pcap_t* descr = NULL;
char errbuf[PCAP_ERRBUF_SIZE], *device = NULL;
struct bpf_program fp;
char filter[]="wlan broadcast";
const u_char* packet;
memset(errbuf,0,PCAP_ERRBUF_SIZE);
device = argv[1];
if(device == NULL)
{
fprintf(stdout,"Supply a device name ");
}
descr = pcap_create(device,errbuf);
pcap_set_rfmon(descr,1);
pcap_set_promisc(descr,1);
pcap_set_snaplen(descr,30);
pcap_set_timeout(descr,10000);
pcap_activate(descr);
int dl =pcap_datalink(descr);
printf("The Data Link type is %s",pcap_datalink_val_to_name(dl));
//pcap_dispatch(descr,MAXBYTES2CAPTURE,1,512,errbuf);
//Open device in promiscuous mode
//descr = pcap_open_live(device,MAXBYTES2CAPTURE,1,512,errbuf);
/* if(pcap_compile(descr,&fp,filter,0,PCAP_NETMASK_UNKNOWN)==-1)
{
fprintf(stderr,"Error compiling filter\n");
exit(1);
}
if(pcap_setfilter(descr,&fp)==-1)
{
fprintf(stderr,"Error setting filter\n");
exit(1);
}
*/
pcap_loop(descr,0, processPacket, (u_char *) &count);
return 0;
}
小智 8
你做错了几件事.
在第一你在做错误的事情被宣布radiotap头作为结构用得比较多领域it_version,it_pad,it_len,和it_present.有绝对没有保证的是在任意radiotap头会有,例如,是一个64位的MAC_timestamp字段以下it_present字段.您必须查看该it_present字段以查看标题中的哪些字段实际存在.有关如何处理radiotap标头的详细信息,请访问radiotap网站.
该字段的值,反对0(或比较NULL)并没有工作-如果一个字段不存在,它根本不存在.
您的代码可能适用于特定操作系统上特定网络适配器的特定驱动程序版本,但如果更改驱动程序或在具有不同类型适配器的计算机上运行(例如,Atheros与Broadcom适配器),则可能会失败在Mac上)或者如果您尝试在不同的操作系统(例如Linux)上运行它.
如果你希望这个代码在big-endian机器上运行,你还需要更仔细地从radiotap头中获取字段,因为它们都是小端的.(在#define你的代码是不是足够了点.)
除了字节顺序的问题,这将在Mac电脑上显示只有你一个PowerPC的Mac上运行的,你是正确跳过过去radiotap头,所以这不是问题.
此外,MAC时间戳是一个64位整数,在32位机器上,它必须打印%llu而不是%u.
您还应该检查错误. pcap_create()而pcap_activate()大概是不会失败的,如果你看到的数据包,所以这可能不是眼前的问题,但你无论如何都应该检查是否存在故障.该pcap_set_程序也可能不是没有,至少没有在Wi-Fi设备,但你无论如何都应该进行检查.
如果您要假设数据包是802.11 + radiotap数据包,您应该至少检查以确保返回值为pcap_datalink()is DLT_IEEE802_11_RADIO并且如果不是则失败.在您使用它时,在为链接层类型打印的消息末尾添加换行符.
但主要认为你做错了就是捕获每个数据包不超过30个字节!当你这样做时pcap_set_snaplen(descr,30);,你会说"不要捕获超过30个字节"; radiotap头可能比那个更长,所以你甚至不会得到所有的radiotap头,更不用说获得任何802.11头了.
如果您想捕获整个数据包,只需将pcap_set_snaplen()呼叫保留.
哦,如果你想要非常小心,请确保,当你看到radiotap和802.11标题时,你还没有过去pkthdr->caplen.
这也意味着你的循环,检查pkthdr->len应该检查pkthdr->caplen 与应利用包开始[0]或应减去rh->it_len从pkthdr->caplen(你应该检查,以确保rh->it_len大于或等于pkthdr->caplen同时或之前,你分析的radiotap头,那结果减法将是积极的).快照长度包括所有伪标头,例如radiotap标头.