落鹤生:几年前我曾写过一个小插件专门用来读wireshark抓下来的包的,但不知道代码被我放哪儿去了。其实这个功能很简单,wireshark的包前面固定是五十几个byte的头,然后后面就是ip头,再接着就是tcp头或者udp头,最后就是实际的数据。以下这个转自CSDN的文章就是用来解析这个头的。
libcap的库以及头文件:)
代码:
#include <stdio.h>
#include <pcap.h>
#define LINE_LEN 16
#define TS_SPLIT_VERSION "1.00"
#define TS_SPLIT_PROG_VERSION "EhterealCapDump V"TS_SPLIT_VERSION
#define TS_SPLIT_URL "http://rg4.net"
#define TS_SPLIT_COPYRIGHT "(c) 2006 da5le (xiaoguizi)"
typedef unsigned char u_char;
typedef __int32 int32_t;
typedef __int64 int64_t;
typedef unsigned __int64 u_int64_t;
/*
-- get bits out of buffer (max 48 bit)
-- extended bitrange, so it's slower
-- return: value
*/
int64_t
getBits48 (u_char *buf, int32_t byte_offset, int32_t startbit, int32_t bitlen)
{
u_char *b;
u_int64_t v;
u_int64_t mask;
u_int64_t tmp;
if (bitlen > 48) {
//out_nl (1," Error: getBits48() request out of bound!!!! (report!!) /n");
return 0xFEFEFEFEFEFEFEFE;
}
b = &buf[byte_offset + (startbit / 8)];
startbit %= 8;
// -- safe is 48 bitlen
tmp = (u_int64_t)(
((u_int64_t)*(b )<<48) + ((u_int64_t)*(b+1)<<40) +
((u_int64_t)*(b+2)<<32) + ((u_int64_t)*(b+3)<<24) +
(*(b+4)<<16) + (*(b+5)<< 8) + *(b+6) );
startbit = 56 - startbit - bitlen;
tmp = tmp >> startbit;
mask = ((u_int64_t)1 << bitlen) - 1; // 1ULL !!!
v = tmp & mask;
return v;
}
unsigned long
getBits (u_char *buf, int32_t byte_offset, int32_t startbit, int32_t bitlen)
{
u_char *b;
unsigned long v;
unsigned long mask;
unsigned long tmp_long;
int32_t bitHigh;
/* For Byte Reading */
b = &buf[byte_offset + (startbit >> 3)];
startbit %= 8;
switch ((bitlen-1) >> 3) {
case -1: // -- <=0 bits: always 0
return 0L;
break;
case 0: // -- 1..8 bit
tmp_long = (unsigned long)(
(*(b )<< 8) + *(b+1) );
bitHigh = 16;
break;
case 1: // -- 9..16 bit
tmp_long = (unsigned long)(
(*(b )<<16) + (*(b+1)<< 8) + *(b+2) );
bitHigh = 24;
break;
case 2: // -- 17..24 bit
tmp_long = (unsigned long)(
(*(b )<<24) + (*(b+1)<<16) +
(*(b+2)<< 8) + *(b+3) );
bitHigh = 32;
break;
case 3: // -- 25..32 bit
// -- to be safe, we need 32+8 bit as shift range
return (unsigned long) getBits48 (b, 0, startbit, bitlen);
break;
default: // -- 33.. bits: fail, deliver constant fail value
//out_nl (1," Error: getBits() request out of bound!!!! (report!!) /n");
return (unsigned long) 0xFEFEFEFE;
break;
}
startbit = bitHigh - startbit - bitlen;
tmp_long = tmp_long >> startbit;
mask = (1UL << bitlen) - 1; // 1ULL !!!
v = tmp_long & mask;
return v;
}
int main(int argc, char **argv) {
pcap_t *fp; // libpcap.lib
char errbuf[PCAP_ERRBUF_SIZE]; // 256
struct pcap_pkthdr *header;
u_char *pkt_data;
u_int i=0;
int res;
FILE* outfile;
/*Begin! For Test only, non business of this program*/
{
#define structOffset(strVar,m) (size_t)&(((strVar*)0)->m)
struct temStruct {
u_int32_t a;
u_char b;
u_char c[10];
};
u_char *tempString, tempString1[20];
struct temStruct temStructA;
tempString = (u_char*)malloc(20);
memset(tempString,0,20);
printf("tempString %d/n",sizeof(tempString));
printf("*tempString %d/n",sizeof(*tempString));
printf("tempString1 %d/n",sizeof(tempString1));
i =(struct temStruct*)0;
//i = (((struct temStruct*)0)->b);
i = structOffset(struct temStruct,c);
i = 0;
printf("%d/n",(size_t)&(((struct temStruct*)0)->b));
printf("%d/n",structOffset(struct temStruct,a));
}
/*End! For Test only, non business of this program*/
if(argc != 2){
printf("EtherealCapDump - only UDP packet can be dumped!!!/n");
printf("Version: %s/ (%s %s)/n", TS_SPLIT_PROG_VERSION,__DATE__,__TIME__);
printf(" %s /n",TS_SPLIT_URL);
printf(" %s /n",TS_SPLIT_COPYRIGHT);
printf("usage: %s filename", argv[0]);
return -1;
}
/* Open a capture file and get the GlobalHeader*/
if ( (fp = pcap_open_offline(argv[1], errbuf) ) == NULL)
{
fprintf(stderr,"/nError opening dump file/n");
return -1;
}
/*Open output file*/
outfile = fopen("out.mpg","ab+");
if (outfile == NULL) {
fprintf(stderr,"/nError opening dump output file/n");
return -1;
}
i = 0;
/* Retrieve the packets from the file */
while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0){
/* print pkt timestamp and pkt len */
printf("%ld:%ld (%ld)/n", header->ts.tv_sec, header->ts.tv_usec, header->len);
/*Parse Packet and output Raw data*/
{
u_int32_t pid = getBits (pkt_data+42, 0,11,13);
printf("pid: %u",pid);
}
res = -1;
/* while(1) {
res++;
if (pkt_data[header->caplen-1-res] != 0x00)
break;
else
pkt_data[header->caplen-1-res] = 0xff;
if (res>=header->caplen-42)
break;
}
*/
// Captured rubish data cause TEI erro by TSreadlite,,, sigh!@ alexis, debug is boring and tired work
//if (i++>725)
{/*Save Raw Data Alexis*/
fwrite(pkt_data+42,header->caplen-42,1,outfile);
/*
if (i>730) {
fclose(outfile);
outfile = fopen("out.mpg","ab+");
}*/
}
//memset(pkt_data, 0xff,header->caplen);
/* Print the packet */
/*for (i=1; (i < header->caplen + 1 ) ; i++)
{
printf("%.2x ", pkt_data[i-1]);
if ( (i % LINE_LEN) == 0) printf("/n");
}*/
printf("/n/n");
}
if(res == -1){
printf("Error reading the packets: %s/n", pcap_geterr(fp));
}
if (outfile)
fclose(outfile);
return 0;
}
(da5le) |
