|
void dl_ethernet(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
flow_t this_flow; //存储从链路层到TCP层信息
u_char *data = NULL;
//parse link layer
u_int caplen = h->caplen;
u_int length = h->len;
struct ether_header *eth_header = (struct ether_header *) p;
if(length != caplen) return;
if(caplen < sizeof(struct ether_header)) return;
if(ntohs(eth_header->ether_type) != ETHERTYPE_IP) return;
//get MAC
int i = 0;
for( ; i < ETH_ALEN; i++)
{
this_flow.ether_smac[i] = eth_header->ether_shost[i];
this_flow.ether_dmac[i] = eth_header->ether_dhost[i];
}
//end parse link layer,move data point.
data = (u_char *)(p + sizeof(struct ether_header));
caplen = caplen - sizeof(struct ether_header);
//parse IP layer
struct ip *ip_header = (struct ip *) data;
if(caplen < sizeof(struct ip)) return;
if(ip_header->ip_p != IPPROTO_TCP) return;
if(ntohs(ip_header->ip_off) & 0x1fff) return; //throw fragment
u_int ip_total_len = ntohs(ip_header->ip_len);
if(caplen < ip_total_len) return;
u_int ip_header_len = ip_header->ip_hl * 4;
if (ip_header_len > ip_total_len) return;
//get IP
this_flow.src = (u_int32_t)ntohl(ip_header->ip_src.s_addr);
this_flow.dst = (u_int32_t)ntohl(ip_header->ip_dst.s_addr);
//end parse IP layer,move data point
data = data + ip_header_len;
length = ip_total_len - ip_header_len;
//parse TCP layer
struct tcphdr *tcp_header = (struct tcphdr *)data;
if (length < sizeof(struct tcphdr)) return;
u_int tcp_header_len = tcp_header->th_off * 4; //编译时可能会报错.参照/usr/include/netinet/tcp.h进行宏定义.或者直接修改源文件.
//get tcp info
this_flow.sport = ntohs(tcp_header->th_sport);
this_flow.dport = ntohs(tcp_header->th_dport);
this_flow.seq = ntohl(tcp_header->th_seq);
this_flow.ack = ntohl(tcp_header->th_ack);
this_flow.isfin = tcp_header->th_flags & TH_FIN;
//end parse TCP layer,move data point
data += tcp_header_len;
length -= tcp_header_len;
//process application layer
if(length < 12) return;
if(data[0] != 'G' || data[1] != 'E' ||data[2] != 'T') return;
char *Get = NULL, *Get_end = NULL;
char *Refer = NULL, *Refer_end = NULL;
char *Host = NULL, *Host_end = NULL;
char *UserAgent =NULL, *UserAgent_end =NULL;
//get field "Get"
Get = data + 4;
Get_end = strchr( Get, 0x20);
if(Get_end == NULL)
return;
else
*Get_end = 0x0;
//get field "Referer"
Refer = strstr( Get_end + 1, "Referer: ");
if(Refer != NULL)
{
Refer += 9;
Refer_end = strchr( Refer, 0x0D);
if( Refer_end == NULL)
Refer = NULL;
}
//get field "Host"
Host = strstr( Get_end + 1, "Host: ");
if(Host != NULL)
{
Host += 6;
Host_end = strchr( Host, 0x0D);
if( Host_end == NULL)
return;
}
else
return;
//get user-agent field
UserAgent = strstr( Get_end +1 ,"User-Agent: ");
if(UserAgent !=NULL)
{
UserAgent += 12;
UserAgent_end = strchr( UserAgent , 0x0D);
if( UserAgent_end == NULL)
UserAgent = NULL;
}
if(Refer_end != NULL) *Refer_end = 0x0;
if(Host_end != NULL) *Host_end = 0x0;
if(UserAgent_end !=NULL) *UserAgent_end = 0x0;
#ifdef DEBUG
printf("\n/ * * * * * * * * * * * * /\n");
printf("URL [http://%s%s]\n", Host, Get);
if(Refer != NULL) printf("refer [%s]\n", Refer);
if(UserAgent != NULL) printf("UserAgent[%s]\n", UserAgent);
#endif
//END ALL
}
void dl_ppp(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
//略, 参见《TCP/IP详解 卷1:协议》
}
|
