如何执行在附近c。使用PCAP可用的WiFi AP的扫描 [英] How to perform scanning of wifi ap available nearby using pcap in c
问题描述
基本上我想要一个简单的C code这说明在混杂模式抓包,并从中提取出SSID。
EDIT1
我写了code,我写信给执行基本嗅探。
的#include<&stdio.h中GT;
#包括LT&;&pcap.h GT;INT主(INT ARGC,CHAR *的argv []){
pcap_t *手柄;
结构pcap_pkthdr头;
常量u_char *包;
INT I; 字符* dev的,errbuf [PCAP_ERRBUF_SIZE]
//开发= pcap_lookupdev(errbuf);
开发=的argv [1];
如果(DEV == NULL){
fprintf中(标准错误,无法找到默认设备\\ n);
返回0;
}
的printf(设备:%S \\ n,DEV);
处理= pcap_open_live(DEV,BUFSIZ,0,1000,errbuf);
如果(手柄== NULL){
fprintf中(标准错误,无法打开设备%S:%S \\ n,开发,errbuf);
返回0;
}
其他{
包= pcap_next(手柄,和放大器;头);
的printf(抓起长度%d个\\ N A包,header.len);
对于(i = 0; I< header.len;我++)
的printf(数据包的内容%S \\ n,包+ I);
pcap_close(手柄);
}
返回0;
}
TLD; DR:您正在从根本上采取错误的方向与libpcap的抓包根本不适合的Wi-以这种方式工作。网络连接。
- 由于SSID是802.11管理帧,你想捕捉的监控模式的,不是的混合模式的
- 您则需要使用的管理框架的PCAP过滤器,专门为的标的和/或探头请求的和/或探测响应。这就是SSID在哪里。
- 然后,只有到那时,你就必须code这些特定数据包的解析。有没有固定的格式(大量optionnal领域,这可以从寻找使用Wireshark捕获可以看出),所以没有一刀切解析。但它没有太难以得到SSID。
不过,你从这个SSID解析很远。它实际上是最后一个你的问题为止。所以,现在的血淋淋的细节。
您有任何关于通过Wi-Fi libpcap的3种可能性:
1 /正常模式(不滥交,不会监视):
您将会看到你们接口的数据包到/。不要/从其他AP(接入点)或STA的(站)。
这些数据包看起来像常规的以太网帧,的未经802.11件,也不是纯粹的802.11管理分组,因此,如果你的目标是让你周围没有好的的SSID,你只需赢了看不到这些。的的唯一可用的使用案例这是你为wlan0是STA或AP本身,你想捕捉网络应用(S)之间的通信在同一台机器上运行运行捕获程序。
2 /混杂模式。
此外,你需要作一个STA或AP,并PCAP会给你什么看起来像普通的以太网帧,的不是802.11管理的一部分,如此反复这是无用的SSID。 如果你是一个STA:你不会看到多比较的情况下1 /正常模式。你会看到什么是多播(从第2层/ 3层)从其他STA帧。例如ARP请求,多播/广播UDP。但不能从这些人的STA的单播流量。如果您是AP,那么,你会看到通信从连接的STA(注意:除非你使用Wi-Fi直接的 https://en.wikipedia.org/wiki/Wi-Fi_Direct ,其中站直接通信,而无需通过AP的数据包)。
3 /监控模式。现在,我们正在谈论。
您将使用libpcap的API把你的界面监控模式,在这里看到了一些例子说明:
<一个href=\"http://stackoverflow.com/questions/32353794/why-is-pcap-datalink-always-returning-1-ethernet-even-on-wireless-device/32354185#32354185\">Why是pcap_datalink()总是返回1(以太网),甚至在无线设备?
...或者你会事先创建一个监控界面,并在此启动您的PCAP过程。阅读:
https://wiki.wireshark.org/CaptureSetup/WLAN#Turning_on_monitor_mode
您将无法连接(既不STA或AP)的 *你可以捕捉的所有的(但... +看我的最后警告更低):包括标802.11管理帧,探测请求和探测响应,与你的precious的SSID。和所有数据。* 如果您有没有一些encrypton接入点,从这些数据帧的TCP / IP将是清楚的。
现在,在但是部分:
3.1 - 你将捕获不会是常规的以太网状的框架。您将有一个radiotap头(内核增加了一些元信息),然后一堆断802.11领域。这可能是相当繁琐解析,但如果你的SSID只是有兴趣,也可以只是几十C $ C $的C系列。
3.2 - Saddly,没有SSID过滤器,从PCAP的过滤器语法,你可以申请,只是去
http://www.tcpdump.org/manpages/pcap-filter。 7.html
这是因为根本就没有SSID场每看,这取决于数据包的类型/背景。尽管如此,PCAP的过滤器可以帮助你:你可以做的是使用类型MGT亚型航标过滤器捕获信标。您还可能有兴趣在类型MGT亚型探针RESP 和类型MGT亚型探针RESP 。然后,你必须手动分析这些:格式是一种弹性。幸运的是,SSID是第一场中,这是一个几十C $ C $的C线来得到它。
一旦你会得到这一点,但你还是远离它,如果遇到与解析信标问题,那么你可能会回来一个更具体的问题。
最后警告:被警告说,如果你想超越的SSID和捕获应用性的数据流量,即使抛开加密的问题,解析工作,从802.11 + radiotap包去在3层及以上部分多汁,嗯...结果不保证下。根据我的经验:我的环境是极其嘈杂的(几十个忙AP和STA),而且大部分时间捕捉错过一些位:Wireshark的解剖这样的捕获秀获得确认看不见的部分TCP序列号有差距和跟随TCP对话这样的截图显示了一些[从捕获NNN失踪字节]。
Basically I want a simple C code which illustrates capturing packet in promiscuous mode and extracts out ssid from them.
Edit1
I am writing the code which I wrote to perform basic sniffing.
#include <stdio.h>
#include <pcap.h>
int main(int argc, char *argv[]){
pcap_t *handle;
struct pcap_pkthdr header;
const u_char *packet;
int i;
char *dev, errbuf[PCAP_ERRBUF_SIZE];
// dev = pcap_lookupdev(errbuf);
dev = argv[1];
if( dev == NULL ){
fprintf(stderr, "Couldn't find default device\n");
return 0;
}
printf("Device: %s\n", dev);
handle = pcap_open_live( dev , BUFSIZ , 0 , 1000 , errbuf);
if( handle == NULL ){
fprintf(stderr , "couldn't open device %s: %s\n" , dev , errbuf);
return 0;
}
else{
packet = pcap_next( handle, &header );
printf( "Grabbed a packet with length %d\n" , header.len );
for( i = 0; i < header.len; i++ )
printf( "Packet's content %s\n" , packet + i );
pcap_close( handle );
}
return 0;
}
TLD;DR: You're fundamentally taking the wrong direction. Packet capture with libpcap simply does not work this way for Wi-Fi.
- Because the SSID are in 802.11 management frames, you want to capture in monitor mode, not promiscuous mode.
- You then need to use a pcap filter on management frames, specifically for the beacons and/or probe-requests and/or probe responses. That's where the SSID are.
- Then, and only then, you'll have to code the parsing of these specific packets. There's no fixed format (lots of optionnal fields, as can be seen from looking a capture with wireshark), so there's no "one size fits all parsing". But it's no too hard to get the SSID.
Still, you're far from this SSID parsing. It's actually the last of your problems so far. So now the gory details.
You have 3 possibilities regarding libpcap on Wi-Fi:
1/ Normal mode (not promiscuous, not monitor):
You will see packets to/from your interface. Not to/from other APs (Access Points) or STAs (Stations).
These packets will look like "regular Ethernet frames", without the 802.11 parts nor the pure 802.11 managing packet, so if your goal is to get the SSIDs around you that's no good, you simply won't see these. The only usable use case for this is that your wlan0 is a STA or the AP itself, and you want to capture the traffic between network application(s) running on the same machine that run your capture program.
2/ Promiscuous mode.
Again, you'll need to be either a STA or the AP, and pcap will give you what's look like regular Ethernet frames, not the 802.11 management part, so again that's useless for SSID. If you're a STA: you won't see much as compare to case 1/normal mode. What you'll see more are the broadcast (from a layer 2/layer 3) frames from other STA. For example ARP requests, multicast/broadcast UDP. But not the unicast traffic from these others STAs. If you are the AP, then yes, you will see the traffic from the connected STAs (note: unless you use Wi-Fi direct https://en.wikipedia.org/wiki/Wi-Fi_Direct, where stations communicate directly without packets passing through an AP).
3/ Monitor mode. Now we're talking.
You'll put your interface in monitor mode using libpcap API, see some example directions here:
Why is pcap_datalink() always returning 1 (Ethernet), even on wireless device?
...or you'll create a monitoring interface beforehand and will launch your pcap process on this. Read:
https://wiki.wireshark.org/CaptureSetup/WLAN#Turning_on_monitor_mode
You will not be connected (neither as STA or AP) *and you can capture everything (but... + see my final warning lower): 802.11 management frames including beacons, probe requests and probe responses, with your precious SSIDs. And all data.* If you have some access points without encrypton, the TCP/IP of data frames from these will be in clear.
Now, the "but" parts:
3.1 - What you will capture will not be regular Ethernet-like frames. You'll have a radiotap header (some meta-information added by the kernel) and then a bunch off 802.11 fields. This can be quite tedious to parse, but if you're just interested in SSID it can be just a few tens of line of C code.
3.2 - Saddly, there is no "SSID filter" from pcap filters syntax that you can apply and just go.
http://www.tcpdump.org/manpages/pcap-filter.7.html
And this is because there is simply no "SSID field" per see, it depends on the type/context of the packet. Still, pcap filters can help you: what you can do is capture beacons using a "type mgt subtype beacon" filter. You may also be interested in "type mgt subtype probe-resp" and "type mgt subtype probe-resp". Then, you'll have to manually parse these: the format is kind of "elastic". Fortunately the SSID is among the first fields and it's a few tens of lines of C code to get it.
Once you'll get to that, but you're still far from it, if you encounter problems with parsing the beacons, then you may come back with a more specific question.
Final warning: be warned that if you want to go beyond SSID and capture applicative data traffic, even put aside the question of encryption, and the parsing work to go from your 802.11+radiotap packet to the layer 3 and above juicy parts, well... the result is not garanteed. In my experience: my environment is extremely noisy (dozens of busy APs and STAs), and most of the time the capture misses some bits: wireshark dissection on such a capture show "ACKed unseen segment", TCP sequence numbers have gaps and "follow TCP dialog" on such a capture shows some "[NNN missing bytes from capture]".
这篇关于如何执行在附近c。使用PCAP可用的WiFi AP的扫描的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
