1 / 17

libpcap and Analyze

libpcap and Analyze. Speaker: Po-Chou Chen Date: 2007.10.11. Outline. API (Application Program Interface) Analyze RTP and SIP packet Demo Reference. pcap_lookupdev(). char *pcap_lookupdev(char *errbuf)

anise
Download Presentation

libpcap and Analyze

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. libpcap and Analyze Speaker: Po-Chou Chen Date: 2007.10.11

  2. Outline • API (Application Program Interface) • Analyze RTP and SIP packet • Demo • Reference

  3. pcap_lookupdev() • char *pcap_lookupdev(char *errbuf) • return a pointer to a network device suitable for use with pcap_open_live() and pcap_lookupnet() • return NULL indicates an error

  4. pcap_lookupnet() • int pcap_lookupnet(const char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf) • determine the network number and mask associated with the network device • return -1 indicates an error • demo: lookupdev_net.c

  5. pcap_open_live() (1/2) • pcap_t *pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf) • obtain a packet capture descriptor to look at packets on the network • snaplen: maximum number of bytes to capture

  6. pcap_open_live() (2/2) • promisc: true, set the interface into promiscuous mode; false, only bring packets intended for you • to_ms: read timeout in milliseconds; zero, cause a read to wait forever to allow enough packets to arrive • return NULL indicates an error

  7. pcap_compile() (1/2) • int pcap_compile(pcap_t *p,struct bpf_program *fp, char *str,int optimize, bpf_u_int32 netmask) • compile the str into a filter program • str: filter string • optimize: 1, optimization on the resulting code is performed; 0, false

  8. pcap_compile() (2/2) • netmask: specify network on which packets are being captured • return -1 indicates an error

  9. pcap_setfilter() • int pcap_setfilter(pcap_t *p,struct bpf_program *fp) • specify a filter program • return -1 indicates an error

  10. pcap_loop() • int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) • cnt: packet number; -1, loop until error • callback: callback function • void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)

  11. got_packet() • void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet); • struct pcap_pkthdr {struct timeval ts; bpf_u_int32 caplen; bpf_u_int32 len; }; • demo:pcap_filter.c

  12. Analyze RTP and SIP packet(1/4)

  13. Analyze RTP and SIP packet(2/4) • static const char *sip_methods[] = { • "<Invalid method>", /* Pad so that the real methods start at index 1 */ • "ACK", • "BYE", • "CANCEL", • "DO", • "INFO", • "INVITE", • "MESSAGE", • "NOTIFY", • "OPTIONS", • "PRACK", • "QAUTH", • "REFER", • "REGISTER", • "SPRACK", • "SUBSCRIBE", • "UPDATE", • "PUBLISH", • "SIP/2.0" • };

  14. Analyze RTP and SIP packet(3/4) • RTP • Check V=2 and SSRC>0

  15. Analyze RTP and SIP packet(4/4) • struct sniff_rtp { • unsigned int cc:4; • unsigned int x:1; • unsigned int p:1; • unsigned int v:2; • unsigned int pt:7; • unsigned int m:1; • u_short seq; • u_int ts; • u_int ssrc; • }; • rtp = (struct sniff_rtp*)(packet + SIZE_ETHERNET + size_ip + size_udp);

  16. Demo • analyzer.c

  17. Reference • Wireshark Wiki • http://wiki.wireshark.org/ • libpcap • http://www.tcpdump.org/

More Related