Libpcap tutorial-02


Well now we sort of know the nature of packet capture, we have
identified that we do in fact have an interface to pull things from, how
about we go ahead and grab a packet!
“Just give me the dam免费云主机域名n example
and let me hack…”, you cry
Very well….. Here you go.. download
from here.. testpcap1.c or just cut and paste
below.Well, that wasn’t too bad was it?! Lets give her a test run ..After typing a.out I jumped into another terminal and tried to
ping www.google.com. The output captured the ICMP packet used to ping
www.google.com. If you don’t know exactly what goes on under the covers
of a network you may be curios how the computer obtained the destination
ethernet address. Aha! You don’t actually think that the destination
address of the ethernet packet is the same as the machine at www.google.com
do you!?
The destination address is the next hop address of the packet, most
likely your network gateway … aka the computer that ties your network
to the internet. The packet must first find its way to your gateway
which will then forward it to the next hop based on ist routing table.
Lets do a quick sanity check to see if we in fact are sending to the
gateway …. You can use the route command to look at your local
computer’s routing table. The routing table will tell you the next hop
for each destination. The last entry (default) is for all packets not
sent locally (127 subnet) or to the 192.16.1 subnet. These packets are
forwarded to 192.168.1.1.we can then use the arpcommand determine the hardware address for
192.168.1.1.If your gateway is not in your arp cache, try and ping it, and then retry
the arp command. The point is this, in order for your computer to send
the packet it must first get the MAC address of the next hop
(00:20:78:D1:E8:01 for my network).An obvious follow-up question is, “how did my computer know the gateway
hardware address”? Let me then digress for a moment. My computer knows
the IP address of the gateway. As you can see from the handy-dandyarp command there is an internal table (the arp cache) which maps
IP addresses to hardware addresses.Hardware addresses on ethernet are obtained using the Address Resolution
Protocol or ARP. ARP is is described in RFC826 which can be found… Here! It works as
follows. If my computer wants to know the hardware address for the
computer with IP 1.2.3.4, it sends and ARP request packet to Ethernet
broadcast out of the Interface which 1.2.3.4. as attached. All
computers connected to this interface (including 1.2.3.4) should recevie
the packet and process the requests. However, only 1.2.3.4 should issue
a reply which will contain its Ethernet address. On receipt of the
reply, my computer will “cache” out the hardware address for all subsequent
packets sent to 1.2.3.4 (until the cache entry times out).

ARP packets are of Thernet type…ETHERTYPE_ARP which is defined in net/ethernet.h as follows.You can force an Ethernet ARP request by clearing your computer’s ARP
cache. Below I do this, and then run the above program again to grab
the outgoing ARP request.So as you can see, once the hardware address was removed the the cache,
my computer needed to send an arp request to broadcast (i.e.
ff:ff:ff:ff:ff:ff) looking for the owner of the higher level address, in
this case IP 192.168.1.1. What do you think would happen if you cleared
your arp cache and modified testpcap1.c to capture 2 packets?! Hey I
know why don’t you try it :-P~~~~Lets now disect the packet by checking out
right now we are not concerned with the network or transport protocol, we
just want to peer into the ethernet headers…. Lets say that we
are runnig at 10Mb/s…
So it looks like the first ETH_ALEN bytes are the destination ethernet
address (look at linux/if_ether.h for the definition of ETH_ALEN :-)
of the packet (presumedly your machine). The next ETH_ALEN bytes
are the source. Finally, the last word is the packet type. Here are
the protocol ID’s on my machine from net/ethernet.h
For the purpose of this tutorial I will be focusing on IP and perhaps a little
bit on ARP… the truth is I have no idea what the hell Xerox PUP
is.Allright so where are we now? We know the most basic of methods for
grabbing a packet. We covered how hardware addresses are resolved and
what a basic ethernet packet looks like. Still we are using a ver small
subset of the functionality of libpcap, and we haven’t even begun to
peer into the packets themselves (other than the hardware headers) so
much to do and so little time :-) As you can probably tell by now, it
would be near impossible to do any real protocol analysis with a program
that simply captures one packet at a time. What we really want to do is
write a simple packet capturing engine that will nab as many packets as
possible while filtering out those we dont want. In the next section we
will construct a simple packet capturing engine which will aid us in
packet dissection later on.

相关推荐: linux中的cp命令如何设置不提示

本篇内容主要讲解“linux中的cp命令如何设置不提示”,感兴趣的朋友不妨来看看。本文介绍的方法操作简单快捷,实用性强。下面就让小编来带大家学习“linux中的cp命令如何设置不提示”吧! linux中设置cp命令不提示方法:1、修改“~/.bashrc”文件…

免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。

Like (0)
Donate 微信扫一扫 微信扫一扫
Previous 01/30 11:38
Next 01/30 11:50