Introduction to libpcap Speaker YanHsiang Wang Date 2006
Introduction to libpcap Speaker: Yan-Hsiang Wang Date: 2006. 10. 16 1
outline n n n API (Application Program Interface) Software based on libpcap Sample program 2
pcap_lookupdev() n n char *pcap_lookupdev(char *errbuf) return a pointer to a network device suitable for use with pcap_open_live() and pcap_lookupnet() return NULL indicates an error reference: lookupdev. c 3
pcap_lookupnet() n n int pcap_lookupnet( const char *device, bpf_u_int 32 *netp, bpf_u_int 32 *maskp, char *errbuf) determine the network number and mask associated with the network device return -1 indicates an error reference: lookupnet. c 4
pcap_open_live() (1/2) n n n pcap_t *pcap_open_live( const char *device, int snaplen, int promisc, int to_ms, char *errbuf) obtain a packet capture descriptor to look at packets on the network snaplen: maximum number of bytes to capture 5
pcap_open_live() (2/2) n n n promisc: true, set the interface into promiscuous mode; false, only bring packets intended for you to_ms: read timeout in milliseconds; zero, cause a read to wait forever to allow enough packets to arrive return NULL indicates an error 6
pcap_next() n n n const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) read the next packet return NULL indicates an error pcap_next. c timestamp. c 7
pcap_compile() (1/2) n n int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int 32 netmask) compile the str into a filter program str: filter string optimize: 1, optimization on the resulting code is performed; 0, false 8
pcap_compile() (2/2) n n netmask: specify network on which packets are being captured return -1 indicates an error 9
pcap_setfilter() n n int pcap_setfilter(pcap_t *p, struct bpf_program *fp) specify a filter program return -1 indicates an error pcap_filter. c 10
Software based on libpcap (1/3) n ntop - network top ¡ ¡ a network traffic probe that shows the network usage sort network traffic according to many protocols http: //www. ntop. org/overview. html http: //linux. tnc. edu. tw/techdoc/ntop. h tm 11
Software based on libpcap (2/3) n snort ¡ ¡ intrusion prevention and detection system sniff every packet and differentiate general and intrusion by against rules http: //www. snort. org/ http: //www. linuxhall. org/modules. php? na me=News&file=article&sid=172 12
Software based on libpcap (3/3) n ethereal ¡ ¡ n network protocol analyzer http: //www. ethereal. com/ wireshark ¡ http: //www. wireshark. org/ 13
Sample program n Capture 10 packets at tcp port 80 Show the packet payload Save these payloads captor. exe n http: //ms 11. voip. edu. tw/~sepp/test_port_80. htm n n n 14
Reference n TCPDUMP. org ¡ n http: //www. tcpdump. org/ libpcap tutorial ¡ http: //www. cet. nau. edu/~mc 8/Socket/Tuto rials/section 1. html 15
- Slides: 15