我的 pcap 文件有问题。我使用过滤器通过 tcpdump 创建了 pcap 文件:
-v -i lo
这是我的 pcap 文件记录的 txt 格式示例:
11:15:47.746058 IP (tos 0x0, ttl 64, id 56805, offset 0, flags [DF], proto UDP (17), length 69) 127.0.0.1.56698 > 127.0.1.1.53: 445+ A? ess.makedreamprofits.ru. (41) 11:15:47.803647 IP (tos 0x0, ttl 64, id 45262, offset 0, flags [DF], proto UDP (17), length 132) 127.0.1.1.53 > 127.0.0.1.56698: 445 2/0/0 ess.makedreamprofits.ru. CNAME protimer-env.elasticbeanstalk.com., protimer-env.elasticbeanstalk.com. A 54.229.216.199 (104) 11:15:51.655797 IP (tos 0x0, ttl 64, id 57575, offset 0, flags [DF], proto UDP (17), length 80) 127.0.0.1.49602 > 127.0.1.1.53: 1585+ A? easylist-downloads.adblockplus.org. (52) 11:15:51.670853 IP (tos 0x0, ttl 64, id 46128, offset 0, flags [DF], proto UDP (17), length 112) 127.0.1.1.53 > 127.0.0.1.49602: 1585 2/0/0 easylist-downloads.adblockplus.org. A 144.76.137.80, easylist-downloads.adblockplus.org. A 78.46.93.235 (84) 11:15:51.738424 IP (tos 0x0, ttl 64, id 57591, offset 0, flags [DF], proto UDP (17), length 80) 127.0.0.1.30048 > 127.0.1.1.53: 4997+ A? easylist-downloads.adblockplus.org. (52)
我需要从这里获取:时间、数据包大小、src 和 dst ips、ttl、域和 A 记录。我无法获取域名和 A 记录:( 这是我的代码(它有效):
#include <iostream>
#include <pcap.h>
#include <string>
using namespace std;
#define SIZE_ETHERNET 14
#define ETHER_ADDR_LEN 6
/* 4 bytes IP address */
typedef struct ip_address{
u_char byte1;
u_char byte2;
u_char byte3;
u_char byte4;
} ip_address;
/* IPv4 header */
typedef struct ip_header{
u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits)
u_char tos; // Type of service
u_short tlen; // Total length
u_short identification; // Identification
u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits)
u_char ttl; // Time to live
u_char proto; // Protocol
u_short crc; // Header checksum
ip_address saddr; // Source address
ip_address daddr; // Destination address
u_int op_pad; // Option + Padding
} ip_header;
/*
//UDP header
typedef struct udp_header{
u_short sport; // Source port
u_short dport; // Destination port
u_short len; // Datagram length
u_short crc; // Checksum
} udp_header;
*/
int main()
{
string file = "log.pcap";
char errbuff[PCAP_ERRBUF_SIZE];
//file
pcap_t *pcap = pcap_open_offline(file.c_str(), errbuff);
//packet header
struct pcap_pkthdr *header;
//packet data
const u_char *data;
u_int packetCount = 0;
ip_header* ip;
//main loop
while (pcap_next_ex(pcap, &header, &data) >= 0)
{
cout << ++packetCount << ") ";
cout << "Packet size: " << header->len << " bytes\n";
if (header->len != header->caplen)
cout << "Warning! Capture size different than packet size: " << header->len << " bytes\n";
cout << "Epoch Time: " << header->ts.tv_sec << ":" << header->ts.tv_usec << " seconds\n";
//ip
ip = (ip_header*) (data + SIZE_ETHERNET);
//print ip address
printf("%d.%d.%d.%d -> %d.%d.%d.%d\n",
ip->saddr.byte1, ip->saddr.byte2, ip->saddr.byte3, ip->saddr.byte4,
ip->daddr.byte1, ip->daddr.byte2, ip->daddr.byte3, ip->daddr.byte4
);
//ttl
cout << "TTL: " << (unsigned int) ip->ttl << endl;
cout << endl;
}
system("pause");
return 0;
}
我使用winpcap,但实际上并不认为winpcap和libpcap有很大区别。对我来说是一样的。 那么你能帮我获取域名和 A 记录吗?
最佳答案
您只需查看 DNS UDP 数据包,然后根据 RFC 1035 进行解码。
当您仅使用 Wireshark 查看文件时,这似乎需要大量工作
关于c++ - 如何从pcap文件中获取域名地址和A记录?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35948162/