Winpcap进行抓包，分析数据包结构并统计IP流量

2020年华科计算机网络实验
文末有完整代码，仅限参考

一.实验目的

随着计算机网络技术的飞速发展，网络为社会经济做出越来越多的贡献，可以说计算机网络的发展已经成为现代社会进步的一个重要标志。但同时，计算机犯罪、黑客攻击、病毒入侵等恶性事件也频频发生。网络数据包捕获、监听与分析技术是网络安全维护的一个基本技术同时也是网络入侵的核心手段。通过基于网络数据包的截获和协议分析，对网络上传输的数据包进行捕获，可以获取网络上传输的非法信息，对维护网络安全起到重大作用。
本次实验的主要目的有：

理解协议在通信中的作用；
掌握抓包软件的开发；
掌握协议解析的编程方法。
利用所学的知识，制作一款流量统计软件

二.实验要求

软件功能：

利用winpcap捕获数据包，并可根据要求进行数据包过滤。
根据IP协议，解析每个数据包的PCI，展示其在不同网络层次所使用的协议结构和具体信息。
根据IP地址，统计源自该IP地址的流量，即捕获到的数据包的数量。

三.实验设计

1. 协议栈分析

由于TCP/IP协议采用分层的结构，这样在传输数据时，在网络数据的发送端是一个封装的过程，而在数据接收端则是分解的过程。
数据封装过程如图3.1所示

而对接收到的包进行解析，就是上述封装的逆过程。

1. 以太网协议

在以太网的发展过程中，有很多种帧格式，其中以太网Ⅱ格式应用最为广泛，现在几乎是以太网的标准，它是由RFC894所定义。其帧格式如图3.2所示。

ARP协议

ARP/RARP协议是进行IP地址和MAC地址相互转换的协议，网络通信中，链路层使用MAC地址进行实际的数据通信，而在网络层使用IP地址进行机器定位寻址。APR协议把IP地址映射为MAC地址，RARP相反。格式如图3.3所示。

IP协议

IP协议是Internet的核心协议，它工作在网络层，提供了不可靠无连接的数据传送服务。协议格式如图3.4所示。

ICMP协议

Internet控制信息协议(Internet Control Message Protocol),它提供了很多Internet的信息描述服务，能够检测网络的运行状况，通知协议有用的网络状态信息。ICMP是基于IP协议的，ICMP协议格式如图3.5 所示。

TCP协议

TCP协议是基于连接的可靠的协议，它负责发收端的协定，然后保持正确可靠的数据传输服务。它是在IP协议上运行的，而IP无连接的协议，所以TCP丰富了IP协议的功能，使它具有可靠的传输服务。TCP协议格式如图3.6所示。

UDP协议

用户数据报协议UDP是在IP协议上的传输层协议，它提供了无连接的协议服务，它在IP协议基础上提供了端口的功能，这样既可让应用程序进行通信了。UDP协议格式如图3.7所示。

2. 协议处理

Winpcap系统处理流程图3.8：

协议分析流程图3.9：

Ethernet_package_handler()：用来解析以太网帧
IP_v4_package_handler()：用来解析IPv4数据报
IP_v6_package_handler()：用来解析IPv6数据报
Arp_package_handler()：用来解析ARP协议
ICMP_package_handler()：用来解析ICMP协议
Tcp_package_handler()：用来解析TCP报文段
Udp_package_handler()：用来解析UDP报文段

3. 流量统计

流量统计过程如3.10所示

在对网络层协议进行解析时，以IP地址为键，流量为值存入map中，如果该IP值已经存在，则流量加一，最后的值即表示该IP的流量

四.软件实现

本软件采用C++实现，在VS 2017上编写

1.实现效果：

选择设备

选择捕获数据包的数量

ARP协议解析

IP协议解析

UDP协议解析

ICMP协议解析

最终效果

2.头文件设计

#ifndef _PAC_ANA_H
#define _PAC_ANA_H#ifdef _MSC_VER
/** we do not want the warnings about the old deprecated and unsecure CRT functions* since these examples can be compiled under *nix as well*/#define _CRT_SECURE_NO_WARNINGS
#endif/*set the environment head files*/
#define WIN32
#pragma comment (lib, "ws2_32.lib")  //load ws2_32.dll/*set the C++ head files*/
#include <iostream>
#include <stdio.h>
#include <map>
#include <string>
#include <iomanip>
#include <sstream>/*set the wpcap head files*/
#include "pcap.h"
#include <WinSock2.h>#define DIVISION "--------------------"
#define B_DIVISION "==================="/* 4 bytes IP address */
typedef struct ip_v4_address ip_v4_address;/* 16 bytes IP address */
typedef struct ip_v6_address ip_v6_address;/*8 bytes MAC addresss*/
typedef struct mac_address mac_address;/*ethernet header*/
typedef struct ethernet_header ethernet_header;/* IPv4 header */
typedef struct ip_v4_header ip_v4_header;/*IPv6 header*/
typedef struct ip_v6_header ip_v6_header;/*arp header*/
typedef struct arp_header arp_header;/*TCP header*/
typedef struct tcp_header tcp_header;/* UDP header*/
typedef struct udp_header udp_header;/*ICMP header*/
typedef struct icmp_header icmp_header;/* prototype of the packet handler */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);/*analysis the ethernet packet*/
void ethernet_package_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);/*analysis the IPv4 packet*/
void ip_v4_package_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);/*analysis the IPv6 packet*/
void ip_v6_package_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);/*analysis the arp packet*/
void arp_package_handler(u_char* param, const struct pcap_pkthdr *header, const u_char *pkt_data);/*analysis the udp packet*/
void udp_package_handler(u_char* param, const struct pcap_pkthdr *header, const u_char *pkt_data);/*analysis the tcp packet*/
void tcp_package_handler(u_char* param, const struct pcap_pkthdr *header, const u_char *pkt_data);/*analysis the icmp packet*/
void icmp_package_handler(u_char* param, const struct pcap_pkthdr *header, const u_char *pkt_data);/*count the package with c++ std::map*/
void add_to_map(std::map<std::string, int> &counter, ip_v4_address ip);
void add_to_map(std::map<std::string, int> &counter, ip_v6_address ip);/*print the map info*/
void print_map(std::map<std::string, int> counter);#endif // !_PAC_ANA_H

3.具体实现

#include "pac_ana.h"using namespace std;/*ip counter*/
std::map<std::string, int> counter;/*header structure*/
struct ip_v4_address
{u_char byte1;u_char byte2;u_char byte3;u_char byte4;
};struct ip_v6_address
{u_short part1;u_short part2;u_short part3;u_short part4;u_short part5;u_short part6;u_short part7;u_short part8;
};struct mac_address
{u_char byte1;u_char byte2;u_char byte3;u_char byte4;u_char byte5;u_char byte6;
};struct ethernet_header
{mac_address des_mac_addr;mac_address src_mac_addr;u_short type;
};struct ip_v4_header
{u_char ver_ihl;        // Version (4 bits) + Internet header length (4 bits)u_char    tos;            // Type of service u_short tlen;            // Total length u_short identification; // Identificationu_short flags_fo;      // Flags (3 bits) + Fragment offset (13 bits)u_char    ttl;            // Time to liveu_char   proto;          // Protocolu_short checksum;            // Header checksumip_v4_address src_ip_addr;        // Source addressip_v4_address  des_ip_addr;        // Destination addressu_int op_pad;         // Option + Padding
};struct ip_v6_header
{u_int32_t ver_trafficclass_flowlabel;u_short payload_len;u_char next_head;u_char ttl;ip_v6_address src_ip_addr;ip_v6_address dst_ip_addr;
};struct arp_header
{u_short hardware_type;u_short protocol_type;u_char hardware_length;u_char protocol_length;u_short operation_code;mac_address source_mac_addr;ip_v4_address source_ip_addr;mac_address des_mac_addr;ip_v4_address des_ip_addr;
};struct tcp_header
{u_short sport;u_short dport;u_int sequence;u_int acknowledgement;u_char offset;u_char flags;u_short windows;u_short checksum;u_short urgent_pointer;
};struct udp_header
{u_short sport;         // Source portu_short dport;            // Destination portu_short len;         // Datagram lengthu_short checksum;         // Checksum
};struct icmp_header
{u_char type;u_char code;u_short checksum;u_short id;u_short sequence;
};int main()
{pcap_if_t *alldevs;pcap_if_t *d;int inum;int i = 0;int pktnum;pcap_t *adhandle;char errbuf[PCAP_ERRBUF_SIZE];u_int netmask = 0xffffff;;struct bpf_program fcode;if (pcap_findalldevs(&alldevs, errbuf) == -1){fprintf(stderr, "Error in pcap_findalldevs: %s\n", errbuf);exit(1);}for (d = alldevs; d; d = d->next){cout << ++i << "." << d->name;if (d->description)cout << d->description << endl;elsecout << " (No description available)" << endl;}if (i == 0){cout << "\nNo interfaces found! Make sure WinPcap is installed." << endl;return -1;}cout << "Enter the interface number (1-" << i << "): ";cin >> inum;if (inum < 1 || inum > i){cout << "\nInterface number out of range." << endl;pcap_freealldevs(alldevs);return -1;}for (d = alldevs, i = 0; i < inum - 1; d = d->next, i++);if ((adhandle = pcap_open_live(d->name,    // name of the device65536,         // portion of the packet to capture. // 65536 grants that the whole packet will be captured on all the MACs.1,              // promiscuous mode (nonzero means promiscuous)1000,            // read timeouterrbuf           // error buffer)) == NULL){fprintf(stderr, "\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);pcap_freealldevs(alldevs);return -1;}cout << "listening on " << d->description << "...." << endl;pcap_freealldevs(alldevs);if (pcap_compile(adhandle, &fcode, "ip or arp", 1, netmask) < 0){fprintf(stderr, "\nUnable to compile the packet filter. Check the syntax.\n");pcap_close(adhandle);return -1;}if (pcap_setfilter(adhandle, &fcode) < 0){fprintf(stderr, "\nError setting the filter.\n");pcap_close(adhandle);return -1;}cout << "please input the num of packets you want to catch(0 for keeping catching): ";cin >> pktnum;cout << endl;pcap_loop(adhandle, pktnum, packet_handler, NULL);pcap_close(adhandle);getchar();return 0;
}/* Callback function invoked by libpcap for every incoming packet */
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{struct tm *ltime;char timestr[16];time_t local_tv_sec;/* convert the timestamp to readable format */local_tv_sec = header->ts.tv_sec;ltime = localtime(&local_tv_sec);strftime(timestr, sizeof timestr, "%H:%M:%S", ltime);cout << B_DIVISION << "time:" << timestr << ","<< header->ts.tv_usec << "  len:" << header->len << B_DIVISION<<endl;ethernet_package_handler(param, header, pkt_data);
}void ethernet_package_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{ethernet_header* eh = (ethernet_header*)pkt_data;cout << DIVISION << "以太网协议分析结构" << DIVISION << endl;u_short type = ntohs(eh->type);cout << "类型：0x" <<  hex << type;cout << setbase(10);switch (type){case 0x0800:cout << " (IPv4)" << endl;break;case 0x86DD:cout << "(IPv6)" << endl;break;case 0x0806:cout << " (ARP)" << endl;break;case 0x0835:cout << " (RARP)" << endl;default:break;}cout << "目的地址：" << int(eh->des_mac_addr.byte1) << ":"<< int(eh->des_mac_addr.byte2) << ":"<< int(eh->des_mac_addr.byte3) << ":"<< int(eh->des_mac_addr.byte4) << ":"<< int(eh->des_mac_addr.byte5) << ":"<< int(eh->des_mac_addr.byte6) << endl;cout << "源地址：" << int(eh->src_mac_addr.byte1) << ":"<< int(eh->src_mac_addr.byte2) << ":"<< int(eh->src_mac_addr.byte3) << ":"<< int(eh->src_mac_addr.byte4) << ":"<< int(eh->src_mac_addr.byte5) << ":"<< int(eh->src_mac_addr.byte6) << endl;switch (type){case 0x0800:ip_v4_package_handler(param, header, pkt_data);break;case 0x0806:arp_package_handler(param, header, pkt_data);break;case 0x86DD:ip_v6_package_handler(param, header, pkt_data);break;default:break;}cout << endl << endl;
}void arp_package_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{arp_header* ah;ah = (arp_header*)(pkt_data + 14);cout << DIVISION << "ARP协议分析结构" << DIVISION << endl;u_short operation_code = ntohs(ah->operation_code);cout << "硬件类型：" << ntohs(ah->hardware_type) << endl;cout << "协议类型：0x" << hex << ntohs(ah->protocol_type) << endl;cout << setbase(10);cout << "硬件地址长度：" << int(ah->hardware_length) << endl;cout << "协议地址长度：" << int(ah->protocol_length) << endl;switch (operation_code){case 1:cout << "ARP请求协议" << endl;break;case 2:cout << "ARP应答协议" << endl;break;case 3:cout << "ARP请求协议" << endl;break;case 4:cout << "RARP应答协议" << endl;break;default:break;}cout << "源IP地址："<< int(ah->source_ip_addr.byte1) << "."<< int(ah->source_ip_addr.byte2) << "."<< int(ah->source_ip_addr.byte3) << "."<< int(ah->source_ip_addr.byte4) << endl;cout << "目的IP地址："<< int(ah->des_ip_addr.byte1) << "."<< int(ah->des_ip_addr.byte2) << "."<< int(ah->des_ip_addr.byte3) << "."<< int(ah->des_ip_addr.byte4) << endl;add_to_map(counter, ah->source_ip_addr);print_map(counter);
}void ip_v4_package_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{ip_v4_header *ih;ih = (ip_v4_header *)(pkt_data + 14); //14 measn the length of ethernet headercout << DIVISION << "IPv4协议分析结构" << DIVISION << endl;cout << "版本号：" << ((ih->ver_ihl & 0xf0) >> 4) << endl;cout << "首部长度：" << (ih->ver_ihl & 0xf) << "("<< ((ih->ver_ihl & 0xf)<<2) << "B)" << endl;cout << "区别服务：" << int(ih->tos) << endl;cout << "总长度：" << ntohs(ih->tlen) << endl;cout << "标识：" << ntohs(ih->identification) << endl;cout << "标志：" << ((ih->flags_fo & 0xE000) >> 12) << endl;cout << "片偏移：" <<  (ih->flags_fo & 0x1FFF) << "("<< ((ih->flags_fo & 0x1FFF) << 3) << "B)" <<endl;cout << "生命周期：" << int(ih->ttl) << endl;cout << "协议：";switch (ih->proto){case 6:cout << "TCP" << endl;break;case 17:cout << "UDP" << endl;break;case 1:cout << "ICMP" << endl;break;default:cout <<  endl;break;}cout << "校验和：" << ntohs(ih->checksum) << endl;cout << "源IP地址：" << int(ih->src_ip_addr.byte1) << "."<< int(ih->src_ip_addr.byte2) << "."<< int(ih->src_ip_addr.byte3) << "."<< int(ih->src_ip_addr.byte4) <<  endl;cout << "目的IP地址：" << int(ih->des_ip_addr.byte1) << "."<< int(ih->des_ip_addr.byte2) << "."<< int(ih->des_ip_addr.byte3) << "."<< int(ih->des_ip_addr.byte4) << endl;switch (ih->proto){case 6:tcp_package_handler(param, header, pkt_data);break;case 17:udp_package_handler(param, header, pkt_data);break;case 1:icmp_package_handler(param, header, pkt_data);break;default:break;}add_to_map(counter, ih->src_ip_addr);print_map(counter);
}void ip_v6_package_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{ip_v6_header *ih;ih = (ip_v6_header *)(pkt_data + 14); //14 measn the length of ethernet headerint version = (ih->ver_trafficclass_flowlabel & 0xf0000000) >> 28;int traffic_class = ntohs((ih->ver_trafficclass_flowlabel & 0x0ff00000) >> 20);int flow_label = ih->ver_trafficclass_flowlabel & 0x000fffff;cout << "版本号：" << version << endl;cout << "通信量类：" << traffic_class << endl;cout << "流标号：" << flow_label << endl;cout << "有效载荷：" << ntohs(ih->payload_len) << endl;cout << "下一个首部：" << int(ih->next_head) << endl;cout << "跳数限制：" << int(ih->ttl) << endl;cout << "源IP地址："<< int(ih->src_ip_addr.part1) << ":"<< int(ih->src_ip_addr.part2) << ":"<< int(ih->src_ip_addr.part3) << ":"<< int(ih->src_ip_addr.part4) << ":"<< int(ih->src_ip_addr.part5) << ":"<< int(ih->src_ip_addr.part6) << ":"<< int(ih->src_ip_addr.part7) << ":"<< int(ih->src_ip_addr.part8) << endl;cout << "目的IP地址："<< int(ih->dst_ip_addr.part1) << ":"<< int(ih->dst_ip_addr.part2) << ":"<< int(ih->dst_ip_addr.part3) << ":"<< int(ih->dst_ip_addr.part4) << ":"<< int(ih->dst_ip_addr.part5) << ":"<< int(ih->dst_ip_addr.part6) << ":"<< int(ih->dst_ip_addr.part7) << ":"<< int(ih->dst_ip_addr.part8) << endl;switch (ih->next_head){case 6:tcp_package_handler(param, header, pkt_data);break;case 17:udp_package_handler(param, header, pkt_data);break;case 58:icmp_package_handler(param, header, pkt_data);break;default:break;}add_to_map(counter, ih->src_ip_addr);print_map(counter);
}void udp_package_handler(u_char* param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{udp_header *uh;uh = (udp_header *)(pkt_data + 20 + 14);cout << DIVISION << "UDP协议分析结构" << DIVISION << endl;cout << "源端口：" << ntohs(uh->sport) << endl;cout << "目的端口：" << ntohs(uh->dport) << endl;cout << "长度：" << ntohs(uh->len) << endl;cout << "检验和：" << ntohs(uh->checksum) << endl;
}void tcp_package_handler(u_char* param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{tcp_header* th;th = (tcp_header*)(pkt_data + 14 + 20);cout << DIVISION << "TCP协议分析结构" << DIVISION << endl;cout << "源端口：" <<  ntohs(th->sport) << endl;cout << "目的端口：" << ntohs(th->dport) << endl;cout << "序号：" << ntohl(th->sequence) << endl;cout << "确认号：" << ntohl(th->acknowledgement) << endl;cout << "数据偏移：" << ((th->offset & 0xf0) >> 4) << "("<< ((th->offset & 0xf0) >> 2) << "B)"<< endl;cout << "标志：" ;if (th->flags & 0x01) {cout << "FIN ";}if (th->flags & 0x02) {cout << "SYN ";}if (th->flags & 0x04){cout << "RST ";}if (th->flags & 0x08){cout << "PSH ";}if (th->flags & 0x10){cout << "ACK ";}if (th->flags & 0x20){cout << "URG ";}cout << endl;cout << "窗口：" << ntohs(th->windows) << endl;cout << "检验和：" << ntohs(th->checksum) << endl;cout << "紧急指针：" << ntohs(th->urgent_pointer) << endl;
}void icmp_package_handler(u_char* param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{icmp_header* ih;ih = (icmp_header*)(pkt_data + 14 + 20);cout << DIVISION << "ICMP协议分析结构" << DIVISION << endl;cout << "ICMP类型：" << ih->type;switch (ih->type){case 8:cout << "ICMP回显请求协议" << endl;break;case 0:cout << "ICMP回显应答协议" << endl;break;default:break;}cout << "ICMP代码：" << ih->code << endl;cout << "标识符：" << ih->id << endl;cout << "序列码：" << ih->sequence << endl;cout << "ICMP校验和：" << ntohs(ih->checksum) << endl;
}void add_to_map(map<string, int> &counter, ip_v4_address ip)
{string ip_string;int amount = 0;map<string,int>::iterator iter;ip_string = to_string(ip.byte1) + "."+ to_string(ip.byte2) + "."+ to_string(ip.byte3) + "."+ to_string(ip.byte4);iter = counter.find(ip_string);if (iter != counter.end()){amount = iter->second;}counter.insert_or_assign(ip_string, ++amount);
}void add_to_map(map<string, int> &counter, ip_v6_address ip)
{string ip_string;int amount = 0;map<string, int>::iterator iter;ip_string = to_string(ip.part1) + ":"+ to_string(ip.part2) + ":"+ to_string(ip.part3) + ":"+ to_string(ip.part4) + ":"+ to_string(ip.part5) + ":"+ to_string(ip.part6) + ":"+ to_string(ip.part7) + ":"+ to_string(ip.part8);iter = counter.find(ip_string);if (iter != counter.end()){amount = iter->second;}counter.insert_or_assign(ip_string, ++amount);
}void print_map(map<string, int> counter)
{map<string, int>::iterator iter;cout << DIVISION << "流量统计" << DIVISION << endl;cout << "IP" << setfill(' ')<<setw(45) << "流量" << endl;for (iter = counter.begin(); iter != counter.end(); iter++){cout << iter->first  << setfill('.') << setw(45-iter->first.length()) << iter->second<<endl;}
}