我发布了main函数,结构体头是正常的。我运行这个程序后,它经常停在某个数据包处,不同的数据包停在不同的位置,但某个pcap总是停在某个位置。它打印“read end of pcap file”,我不确定是否某些指针错误。
int main()
{
struct pcap_file_header *file_header;
struct pcap_pkthdr *ptk_header;
IPHeader_t *ip_header;
TCPHeader_t *tcp_header;
FILE *fp, *output,*testfile;
int i=0;
long pkt_offset;
long testtime;
int ip_len, http_len, ip_proto;
int src_port, dst_port, tcp_flags;
char buf[BUFSIZE], my_time[20],my_time1[20],my_time2[10];
char src_ip[STRSIZE], dst_ip[STRSIZE];
char host[STRSIZE], uri[BUFSIZE];
file_header = (struct pcap_file_header *)malloc(sizeof(struct pcap_file_header));
ptk_header = (struct pcap_pkthdr *)malloc(sizeof(struct pcap_pkthdr));
ip_header = (IPHeader_t *)malloc(sizeof(IPHeader_t));
tcp_header = (TCPHeader_t *)malloc(sizeof(TCPHeader_t));
memset(buf, 0, sizeof(buf));
if((fp = fopen("f:\\1.pcap","r")) == NULL)
{
printf("error: can not open pcap file\n");
exit(0);
}
if((output = fopen("output.txt","w+")) == NULL)
{
printf("error: can not open output file\n");
exit(0);
}
if((testfile = fopen("test.txt","w+")) == NULL)
{
printf("error: can not open test file\n");
exit(0);
}
pkt_offset = 24; //pcap head
while(fseek(fp, pkt_offset, SEEK_SET) == 0)
{
i++;
//pcap_pkt_header 16 byte
if(fread(ptk_header, 16, 1, fp) == 0) //read pcap packet head
{
fprintf(testfile,"%d-%ld-",i,pkt_offset);
fprintf(testfile,"\nread end of pcap file\n");
break;
}
pkt_offset += 16 + ptk_header->caplen;
fprintf(testfile,"%d-%ld-",i,pkt_offset);
fprintf(testfile,"%ld",ptk_header->caplen);
fprintf(testfile,"\n");
//extract timestamp
itoa(ptk_header->ts.tv_sec,my_time,10);
itoa(ptk_header->ts.tv_usec,my_time1,10);
strcat(my_time,".");
strncpy(my_time2,my_time1,4);
my_time2[4] = '\0';
strcat(my_time,my_time2);
printf("%d: %s\n", i, my_time);
fwrite(&my_time[0],16,1,output);
fprintf(output,"\n");
} // end while
fclose(fp);
fclose(output);
fclose(testfile);
return 0;
}
最佳答案
您在同一循环中使用 fseek 和 fread。每次调用 fread 时,文件指针都会增加读取的值。您不需要调用 fseek 来设置文件指针。
像这样更改 while 循环
while(fread(ptk_header, 16, 1, fp) > 0) //read pcap packet head
{
i++;
//pcap_pkt_header 16 byte
pkt_offset += 16 + ptk_header->caplen;
fprintf(testfile,"%d-%ld-",i,pkt_offset);
fprintf(testfile,"%ld",ptk_header->caplen);
fprintf(testfile,"\n");
// further code below
}
关于c - 一个简单的C程序来分析pcap文件,但它不能读取整个pcap文件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38346563/