这一次要分析的实例程序跟上一讲非常类似(“打开适配器并捕获数据包”),略微不同的一点是本次将pcap_loop()函数替换成了pcap_next_ex()函数。本节的重点也就是说一下这两个函数之间的差异。我们知道pcap_loop()函数是基于回调的原理来进行数据捕获的,如技术文档所说,这是一种精妙的方法,并且在某些场合下,它是一种很好的选择。但是在处理回调有时候会并不实用,它会增加程序的复杂度,特别是在多线程的C++程序中。而对于pcap_next_ex()函数而言,可以通过直接调用它来获得一个数据包,也只有在调用了这个函数才能收到数据包。pcap_next_ex()函数跟pcap_loop()的回调函数参数是相同的:
int pcap_next_ex ( pcap_t * p,
struct pcap_pkthdr ** pkt_header,
const u_char ** pkt_data
)
第一个参数是网络适配器的描述符;第二个参数是一个指向pcap_pkthdr结构体的指针;第三个参数是指向数据报数据的缓冲的指针。
来看一下实例程序的代码:
1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <string.h> 4 #include <winsock2.h> 5 #include "pcap.h" 6 7 8 typedef struct sockaddr_in sockad; 9 /* 从tcptraceroute数字IP地址转换为字符串 */ 10 #define IPTOSBUFFERS 12 11 char *iptos(u_long in) 12 { 13 static char output[IPTOSBUFFERS][3*4+3+1]; 14 static short which; 15 u_char *p; 16 17 p = (u_char *)∈ 18 which = (which + 1 == IPTOSBUFFERS ? 0 : which + 1); 19 sprintf(output[which], "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); 20 return output[which]; 21 } 22 23 void ifprint(pcap_if_t *d,int* i) 24 { 25 pcap_addr_t *a; 26 27 printf("%d. %s", ++(*i), d->name); 28 if (d->description) 29 printf(" (%s) ", d->description); 30 else 31 printf(" (No description available) "); 32 for(a=d->addresses;a;a=a->next) 33 { 34 switch(a->addr->sa_family) 35 { 36 case AF_INET: 37 if(a->addr) 38 printf(" IPv4地址:%s ",iptos(((sockad *)a->addr)->sin_addr.s_addr)); 39 break; 40 } 41 } 42 } 43 44 int main() 45 { 46 pcap_if_t *alldevs; 47 pcap_if_t *d; 48 int inum; 49 int i=0; 50 pcap_t *adhandle; 51 int res; 52 char errbuf[PCAP_ERRBUF_SIZE]; 53 struct tm *ltime; 54 char timestr[16]; 55 struct pcap_pkthdr *header; 56 u_char *pkt_data; 57 58 /* 获取设备列表 */ 59 if (pcap_findalldevs(&alldevs, errbuf) == -1) 60 { 61 fprintf(stderr,"Error in pcap_findalldevs: %s ", errbuf); 62 exit(1); 63 } 64 65 /* 打印列表 */ 66 for(d=alldevs; d; d=d->next) 67 { 68 ifprint(d,&i); 69 } 70 71 if(i==0) 72 { 73 printf(" No interfaces found! Make sure WinPcap is installed. "); 74 return -1; 75 } 76 77 printf("Enter the interface number (1-%d):",i); 78 scanf("%d", &inum); 79 80 if(inum < 1 || inum > i) 81 { 82 printf(" Interface number out of range. "); 83 /* Free the device list */ 84 pcap_freealldevs(alldevs); 85 return -1; 86 } 87 88 /* 跳转到选定的适配器 */ 89 for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++); 90 91 /* Open the adapter */ 92 if ( (adhandle= pcap_open_live(d->name, // name of the device 93 65536, // portion of the packet to capture. 94 // 65536 grants that the whole packet will be captured on all the MACs. 95 1, // promiscuous mode 96 1000, // read timeout 97 errbuf // error buffer 98 ) ) == NULL) 99 { 100 fprintf(stderr," Unable to open the adapter. %s is not supported by WinPcap "); 101 /* Free the device list */ 102 pcap_freealldevs(alldevs); 103 return -1; 104 } 105 106 printf(" listening on %s... ", d->description); 107 108 /* At this point, we don't need any more the device list. Free it */ 109 pcap_freealldevs(alldevs); 110 111 /* 检索包 */ 112 while((res = pcap_next_ex( adhandle, &header, &pkt_data)) >= 0){ 113 114 if(res == 0) 115 // Timeout elapsed 116 continue; 117 118 //convert the timestamp to readable format 119 ltime=localtime(&header->ts.tv_sec); 120 strftime( timestr, sizeof timestr, "%H:%M:%S", ltime); 121 122 printf("%s,%.6d len:%d ", timestr, header->ts.tv_usec, header->len); 123 } 124 125 if(res == -1){ 126 printf("Error reading the packets: %s ", pcap_geterr(adhandle)); 127 return -1; 128 } 129 130 return 0; 131 }
文档上在最后简单地比较了一下pcap_next_ex()函数和pcap_next()函数的区别,通过函数名我们知道pcap_next_ex()函数是在pcap_next()基础上扩展得到的。为什么会扩展?根据文档说明可以知道,pcap_next()函数有一些缺陷。比如它效率很低,尽管隐藏了回调的方式,但它仍然依赖于函数pcap_dispatch();另外,它不能检测到EOF这个状态,那么如果数据包是从文件中读取过来的,那么它就不那么好用了。显然,pcap_next_ex()函数在此基础上做出了一些改进。最后我们来看一下pcap_next_ex()函数的返回值,引用文档中的描述:
The return value can be:
- 1 if the packet has been read without problems (数据读取无误)
- 0 if the timeout set with pcap_open_live() has elapsed. In this case pkt_header and pkt_data don't point to a valid packet
- (pcap_open_live()设置的超时时间超时,在这种情况下pkt_header和pkt_data指向一个非法的数据)
- -1 if an error occurred (出错)
- -2 if EOF was reached reading from an offline capture (读取到EOF,应该是文件)