我试图通过将经典BPF附加到原始套接字来测试经典BPF.我想用源端口的第一个字节== 8(tcpdump'tcp [1:1] = 0x50')捕获TCP数据包,但我看到套接字上没有传入的数据包.没有过滤器我的代码工作正常.
这是代码示例:
#include<stdio.h> //for printf
#include<string.h> //memset
#include<sys/socket.h> //for socket ofcourse
#include<stdlib.h> //for exit(0);
#include<errno.h> //For errno - the error number
#include<netinet/tcp.h> //Provides declarations for tcp header
#include<netinet/ip.h> //Provides declarations for ip header
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/filter.h>
#define ARRAY_SIZE(arr) (sizeof(arr)/sizeof((arr)[0])
/*
96 bit (12 bytes) pseudo header needed for tcp header checksum calculation
*/
struct pseudo_header
{
u_int32_t source_address;
u_int32_t dest_address;
u_int8_t placeholder;
u_int8_t protocol;
u_int16_t tcp_length;
};
/*
Generic checksum calculation …