通过的libcap（PCAP）和无线困惑 [英] Confused by libcap (pcap) and wireless

问题描述

背景：我自学有关数据包嗅探。我在一个shell中运行一个非常简单的服务器，telnet到它从另一个，然后尝试不同的方法来嗅探流量。当我使用原始套接字（IPPROTO_TCP），我捕捉到了我送的罚款。我只是抓住了我送，闲来无事从互联网上。的libcap的行为混淆了我如下：

（1）首先，检查出来，我捕捉函数pcap_findalldevs的所有设备（见（2）以下为好）。我觉得为wlan0罚款。如果我使用连接到所有流量（根据手册页）

 如果（！（pcap_handle = pcap_open_live（NULL，4096，1，0，errbuf）））
 

我捕捉到了我送（加更，见（3））。
当我尝试使用连接到它

 如果（！（pcap_handle = pcap_open_live（为wlan0，4096，1，0，errbuf）））
 

，这对我来说似乎是这样做的正确的方式，而不是所有，我捕捉到大量的一般交通的，但没有我送。想法？

（2）我先找使用函数pcap_findalldevs所有设备。由于pcap_if_t结构可能有几个要素，我打印了所有的出来，看到以下内容：

 设备发现：1. eth0的 - 无：
    家庭：17，地址：2.0.0.0
2.为wlan0  - 无：
    家庭：17，地址：3.0.0.0
    家庭：AF_INET，地址：192.168.0.159
    家庭：10，地址：0.0.0.0
3. usbmon1  -  USB总线号1：
4. usbmon2  -  USB总线数2：
5. usbmon3  -  USB总线数3：
6. usbmon4  -  USB总线数4：
7. usbmon5  -  USB总线5号：
8.任何 - 伪设备上的所有接口捕获：
9. LO  - 无：
    家庭：17，地址：1.0.0.0
    家庭：AF_INET，地址：127.0.0.1
    家庭：10，地址：0.0.0.0
 

我所有的新本。有些设备提供AF_INET（=的IPv4），IPv6的（10）的捕获和数据包（17）。当我连接到为wlan0，它是如何确保我连接到正确的某些设备的地址的？是相关的问题？

（3）在使用原始套接字，我真的只能捕捉我发送到我的服务器。当我使用的libcap，我也抓住了什么，从打印出来的字节数，必须是互联网头。我所有的新本。如果有人能细说究竟我在这里拍摄，我不要在原始套接字捕获，这将是AP preciated。那些UDP或者ICMP数据包，根据定义，我IPPPROTO_TCP插座不会捕捉到，这将是为什么我没有看到使用原始套接字那些？

非常感谢。

编辑：我的Ubuntu 10.04下工作，对东芝上网本，使用gcc / gdb的组合

。

解决方案

1. 这有点令人惊讶的是，在拍摄时为wlan0 ，你没有看到你的包发送，如果他们实际上正在通过你​​的Wi-Fi设备发送。你将它们发送到您的Wi-Fi网络上的其他机器？如果，例如，你将它们发送到你的机器上的其他进程，他们会出现在罗，而不是为wlan0 （如果您将它们发送到您的Wi-Fi网络上的其它机器上，而不是在你的机器上的其他进程，他们会的不的显示在罗 - 不，所有的流量最后没有通过环回接口）
。

2. 地址从函数pcap_findalldevs（）是获取列表的不的，而您可以在该接口上捕捉地址的列表，它只是网络地址的列表的系统具有用于该接口。你没有得到来选择要捕获的地址 - 它抓住了所有的人。您捕捉的接口，而不是地址。


3. Libpcap的是从原始套接字不同;它给你下层头比那些用于数据正在发送或接收，以及该数据。对于以太网设备，你会看到以太网头;对于Wi-Fi设备，你所看到的取决于你的操作系统和您所选择的标题（在Linux上，这是你使用的是什么，你可能会看到以太网头，除非你捕获监控模式在这种情况下，你会看到两种无线网络连接的页眉或一些无线电头如 radiotap 头后面通过无线网络连接头）;对于任何的设备，你会看到Linux的熟头;等等。你需要调用 pcap_datalink（）呼叫后 pcap_open_live（）来找出该接口的头型;看到链路层类型的列表（ pcap_datalink（）将返回 DLT _ 价值，因为那里列出;不要以为给那里的号码是一样的 DLT _ 值，用 DLT _ 按名称值）进行比较。

Background: I'm teaching myself about packet sniffing. I run a very simple server in one shell, telnet to it from another, then try different methods to sniff on traffic. When I use raw sockets (IPPROTO_TCP), I capture what I send fine. I capture merely what I send, nothing else from the internet. libcap's behavior confuses me as follows:

(1) First, to check it out, I capture all devices with pcap_findalldevs (see (2) below as well). I find wlan0 fine. If I connect to 'all traffic' (per the man page) using

if ( !( pcap_handle = pcap_open_live(NULL, 4096, 1, 0, errbuf) ) )

I capture what I send (plus more, see (3)). when I try to connect to it using

if ( !( pcap_handle = pcap_open_live("wlan0", 4096, 1, 0, errbuf) ) )

, which to me seems the proper way of doing this, not 'all', i capture lots of general traffic, but nothing I send. Ideas?

(2) I first find all devices using pcap_findalldevs. As the pcap_if_t structure possibly has several elements, I print all those out, to see the following:

Devices found:

1. eth0 - None:
    family: 17, address: 2.0.0.0
2. wlan0 - None:
    family: 17, address: 3.0.0.0
    family: AF_INET, address: 192.168.0.159
    family: 10, address: 0.0.0.0
3. usbmon1 - USB bus number 1:
4. usbmon2 - USB bus number 2:
5. usbmon3 - USB bus number 3:
6. usbmon4 - USB bus number 4:
7. usbmon5 - USB bus number 5:
8. any - Pseudo-device that captures on all interfaces:
9. lo - None:
    family: 17, address: 1.0.0.0
    family: AF_INET, address: 127.0.0.1
    family: 10, address: 0.0.0.0

I am all new to this. Some devices offer capturing of AF_INET (=IPv4), IPv6 (10), and packet (17). when I connect to "wlan0", how is it ensured I connect to the proper of the 'addresses' of some device? Is that related to the problem?

(3) When using raw sockets, I really only capture what I sent to my server. When I use libcap, I also capture what, from the bytes printed out, must be internet headers. I am all new to this. If someone could elaborate what exactly I capture here which i don't capture on raw sockets, this would be appreciated. Are those UDP or ICMP packets which, by definition, my IPPPROTO_TCP socket would not capture, which would be why I didn't see those using raw sockets?

Many thanks.

Edit: I work under Ubuntu 10.04 on a Toshiba netbook, using gcc/gdb combo.

解决方案

1. It's somewhat surprising that, when capturing on wlan0, you're not seeing packets you send, if they're actually being sent over your Wi-Fi device. Are you sending them to other machines on your Wi-Fi network? If, for example, you're sending them to other processes on your machine, they'll show up on lo, not on wlan0 (and if you send them to other machines on your Wi-Fi network, rather than to other processes on your machine, they will not show up on lo - no, all traffic doesn't eventually go through the loopback interface).
2. The list of addresses you get from pcap_findalldevs() is NOT a list of addresses for which you can capture on that interface, it's just a list of network addresses the system has for that interface. You don't get to choose which addresses for which to capture - it captures for all of them. You capture on an interface, not an address.
3. Libpcap is different from a raw socket; it gives you lower-layer headers than the ones for the data being sent or received, as well as that data. For an Ethernet device, you'll see Ethernet headers; for a Wi-Fi device, what you see depends on the OS you're on and the headers you select (on Linux, which is what you're using, you'll probably see Ethernet headers unless you capture in "monitor mode", in which case you'll either see Wi-Fi headers or some "radio" header such as radiotap headers followed by Wi-Fi headers); for the "any" device, you'll see "Linux cooked headers"; and so on. You'll need to call pcap_datalink() after calling pcap_open_live() to find out the header type for the interface; see the list of link-layer types (pcap_datalink() will return the DLT_ value, as listed there; don't assume the number given there is the same as the DLT_ value, compare with the DLT_ value by name).

这篇关于通过的libcap（PCAP）和无线困惑的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！