获取 Npcap IPv6 源地址和目标地址 [英] Getting Npcap IPv6 source and destination addresses

问题描述

我正在尝试使用 npcap SDK (https://nmap.org/npcap/) 在 Windows 中.它适用于 IPv4，但它为 IPv6 地址的源和目标返回相同的地址.这是我的 packet_handler 回调函数的代码:

I'm trying to get the source and destination addresses for all packets using the npcap SDK (https://nmap.org/npcap/) in Windows. It works for IPv4, but it is returning the same address for the source and destination for IPv6 addresses. Here is the code for my packet_handler callback function:

void packet_handler(u_char* param, const struct pcap_pkthdr* header, const u_char* pkt_data)
{
    u_int ip_len;
    u_short eth_type;
    const sniff_ip* iph;
    const in6_addr* orig_saddr6;
    const in6_addr* orig_daddr6;
    in6_addr swapped_saddr;
    in6_addr swapped_daddr;

    const struct sniff_ethernet* ethernet; /* The ethernet header */

    ip_len = header->len;
    ethernet = (struct sniff_ethernet*)(pkt_data);
    eth_type = ntohs(ethernet->ether_type);

    iph = (sniff_ip*)(pkt_data +
        14); //length of ethernet header

    if (eth_type == 0x0800) {
        char str_saddr[INET_ADDRSTRLEN];
        inet_ntop(AF_INET, &(iph->ip_src), str_saddr, INET_ADDRSTRLEN);

        char str_daddr[INET_ADDRSTRLEN];
        inet_ntop(AF_INET, &(iph->ip_dst), str_daddr, INET_ADDRSTRLEN);
        printf("%s %s\n", str_saddr, str_daddr);
    }
    else if (eth_type == 0x86DD)
    {
        char str_saddr[INET6_ADDRSTRLEN];
        orig_saddr6 = (const in6_addr*)&(iph->ip_src);
        ipv6_sbyteswap(orig_saddr6, &swapped_saddr);
        inet_ntop(AF_INET6, &swapped_saddr, str_saddr, INET6_ADDRSTRLEN);

        char str_daddr[INET6_ADDRSTRLEN];
        orig_daddr6 = (const in6_addr*)&(iph->ip_dst);
        ipv6_dbyteswap(orig_daddr6, &swapped_daddr);
        inet_ntop(AF_INET6, &swapped_daddr, str_daddr, INET6_ADDRSTRLEN);

        printf("%s %s\n", str_saddr, str_daddr);
    }
}

我看到的问题是当 eth_type 用于 IPv6 数据包时，saddr 和 daddr 是相同的 IP 地址(例如 eth_type == 0x86DD)，除了字节的顺序不同.我已经对代码进行了两倍和三倍的检查，但是当我检查 iph->ip_src 和 iph->ip_dst 时，我看到了相同的类型，因此看起来 npcap 库返回了相同的地址.我看不出我可以做些什么来改变这种行为.有人遇到过这种情况吗?

The problem I am seeing is that the saddr and daddr are the same IP address when the eth_type is for IPv6 packets (e.g. eth_type == 0x86DD), except the bytes are in a different order. I've doubled and tripled check the code, but when I check the iph->ip_src and iph->ip_dst I see the same types, so it looks like the npcap library is returning the same address. I don't see anything I can do to change the behavior. Has anyone ran into this?

推荐答案

要解决此问题，您必须使用适当的 IPv6 结构强制转换 IP 标头.这是工作代码:

To resolve the problem, you have to cast the IP header using the appropriate IPv6 structure. Here is the working code:

/* IPv4 header */
typedef struct ip4_header {
    u_char  ver_ihl;        // Version (4 bits) + Internet header length (4 bits)
    u_char  tos;            // Type of service 
    u_short tlen;           // Total length 
    u_short identification; // Identification
    u_short flags_fo;       // Flags (3 bits) + Fragment offset (13 bits)
    u_char  ttl;            // Time to live
    u_char  proto;          // Protocol
    u_short crc;            // Header checksum
    ip_address  saddr;      // Source address
    ip_address  daddr;      // Destination address
    u_int   op_pad;         // Option + Padding
}ip4_header;

/* IPv6 header */
typedef struct ipv6_header
{
    unsigned int
        version : 4,
        traffic_class : 8,
        flow_label : 20;
    uint16_t length;
    uint8_t  next_header;
    uint8_t  hop_limit;
    struct in6_addr saddr;
    struct in6_addr daddr;
} ipv6_header;

/* Process IPv6 packets*/
void ipv6_handler(const u_char* pkt_data) {
    const ipv6_header* iph;

    iph = (ipv6_header*)(pkt_data + ETHERNET_HEADER_LEN);
    char str_saddr[INET6_ADDRSTRLEN];
    memset(str_saddr, 0, sizeof(str_saddr));
    inet_ntop(AF_INET6, &iph->saddr, str_saddr, INET6_ADDRSTRLEN);

    char str_daddr[INET6_ADDRSTRLEN];
    memset(str_daddr, 0, sizeof(str_saddr));
    inet_ntop(AF_INET6, &iph->daddr, str_daddr, INET6_ADDRSTRLEN);

    printf("%s %s\n", str_saddr, str_daddr);
}

void packet_handler2(u_char* param, const struct pcap_pkthdr* header, const u_char* pkt_data)
{

    const struct sniff_ethernet* ethernet; /* The ethernet header */

    u_short eth_type;
    ethernet = (struct sniff_ethernet*)(pkt_data);
    eth_type = ntohs(ethernet->ether_type);

    if (eth_type == ETHERNET_TYPE_IPv4) {
        ipv4_handler(pkt_data);
    }
    else if (eth_type == ETHERNET_TYPE_IPv6)
    {
        ipv6_handler(pkt_data);
    }
}

这篇关于获取 Npcap IPv6 源地址和目标地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！