Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1371844
  • 博文数量: 244
  • 博客积分: 10311
  • 博客等级: 上将
  • 技术积分: 3341
  • 用 户 组: 普通用户
  • 注册时间: 2008-10-14 21:50
文章分类

全部博文(244)

文章存档

2013年(6)

2012年(5)

2011年(16)

2010年(11)

2009年(172)

2008年(34)

分类: LINUX

2009-04-21 19:33:50

 

    前面的几篇文章我已经对Netfilter的大概的机制作了比较详细的介绍,这篇文章我就说一下如何分析网络数据包。我刚刚写了一个程序,程序的功能很简单,就是提取出网络数据包的源地址和改包所使用的网络协议,大家可以看看源代码:

 

#define __KERNEL__
#define MODULE

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include


static struct nf_hook_ops nfho;


unsigned int hook_func(unsigned int hooknum,
                       struct sk_buff **skb,
                       const struct net_device *in,
                       const struct net_device *out,
                       int (*okfn)(struct sk_buff *))
{
    struct sk_buff *sb = *skb;
    unsigned char src_ip[4];
    *(unsigned int *)src_ip = sb->nh.iph->saddr;
    printk("A packet from:%d.%d.%d.%d Detected!",
                 src_ip[0],src_ip[1],src_ip[2],src_ip[3]);
    switch(sb->nh.iph->protocol)
    {
       case IPPROTO_TCP:
           printk("It's a TCP PACKET\n");break;
       case IPPROTO_ICMP:
          printk("It's a ICMP PACKET\n");break;
      case IPPROTO_UDP:
         printk("It's a UDP PACKET\n");break;
    }
    return NF_ACCEPT;         
}


int init_module()
{
 
    nfho.hook = hook_func;        
    nfho.hooknum  = NF_IP_PRE_ROUTING;
    nfho.pf       = PF_INET;
    nfho.priority = NF_IP_PRI_FIRST; 

    nf_register_hook(&nfho);

    return 0;
}

void cleanup_module()
{
    nf_unregister_hook(&nfho);
}

这实际上是对前面几篇文章的几个小程序的组合,实际上就是对sk_buff 结构体的的两个元素进行了检测,就得到了源地址和协议的信息。上面的这条语句对于那些C不是很熟悉的人可能吃力了一点:

*(unsigned int *)src_ip = sb->nh.iph->saddr;

我稍微的解释一下,网络的源地址是4个子节的int,因此我定义了一个4个子节的数组src_ip,从而每一个子节里面就存储的点分十进制的一个数,为了一次完成赋值,我把src_ip 转成unsigned int指针,就可以一次4个字节一起访问了。

下面是这个程序的测试结果:

A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.8 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.246 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.8 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.246 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.246 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.254 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a ICMP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a ICMP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a ICMP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET

如果需要对包的端口进行分析的话,就要对IP报文的数据段(sb->data)进行分析了(TCP和UDP等包都是作为IP的数据而存在的),大家可以参考一下相应的资料。

阅读(1949) | 评论(1) | 转发(0) |
给主人留下些什么吧!~~

rain_fish2010-03-16 17:55:47

兄台在湖南?