| blob | 246a5b090a845509834b502bc3c05658207febfa |
1 /** @ingroup wpcap_tut\r
2 */\r
3 \r
4 /** @defgroup wpcap_tut6 Interpreting the packets\r
5 * @{\r
6 \r
7 Now that we are able to capture and filter network traffic, we want to put our knowledge to work with a simple "real world" application. \r
8 \r
9 In this lesson we will take code from the previous lessons and use these pieces to build a more useful program. the main purpose of the current program is to show how the protocol headers of a captured packet can be parsed and interpreted. \r
10 The resulting application, called UDPdump, prints a summary of the UDP traffic on our network.\r
11 \r
12 We have chosen to parse and display the UDP protocol because it is more accessible than other protocols such as TCP and consequently is an excellent initial example. Let's look at the code:\r
13 \r
14 \include UDPdump/udpdump.c\r
15 \r
16 First of all, we set the filter to "ip and udp". In this way we are sure that packet_handler() will receive only UDP packets over IPv4: this simplifies the parsing and increases the efficiency of the program.\r
17 \r
18 We have also created a couple of structs that describe the IP and UDP headers. These structs are used by packet_handler() to properly locate the various header fields. \r
19 \r
20 packet_handler(), although limited to a single protocol dissector (UDP over IPv4), shows how complex "sniffers" like tcpdump/WinDump decode the network traffic. Since we aren't interested in the MAC header, we skip it. \r
21 For simplicity and before starting the capture, we check the MAC layer with pcap_datalink() to make sure that\r
22 we are dealing with an Ethernet network. This way we can be sure that the MAC header is exactly 14 bytes.\r
23 \r
24 The IP header is located just after the MAC header. We will extract the IP source and destination addresses from the\r
25 IP header.\r
26 \r
27 Reaching the UDP header is a bit more complicated, because the IP header doesn't have a fixed length.\r
28 Therefore, we use the IP header's length field to know its size. \r
29 Once we know the location of the UDP header, we extract the source and destination ports.\r
30 \r
31 The extracted values are printed on the screen, and the result is something like:\r
32 \r
33 <tt>\r
34 1. \\Device\\Packet_{A7FD048A-5D4B-478E-B3C1-34401AC3B72F} (Xircom\r
35 t 10/100 Adapter) \n\r
36 Enter the interface number (1-2):1\n\r
37 \r
38 listening on Xircom CardBus Ethernet 10/100 Adapter... \n\r
39 16:13:15.312784 len:87 130.192.31.67.2682 -> 130.192.3.21.53 \n\r
40 16:13:15.314796 len:137 130.192.3.21.53 -> 130.192.31.67.2682 \n\r
41 16:13:15.322101 len:78 130.192.31.67.2683 -> 130.192.3.21.53 \n\r
42 </tt>\r
43 \r
44 Each of the final 3 lines represents a different packet.\r
45 \r
46 \ref wpcap_tut5 "<<< Previous" \ref wpcap_tut7 "Next >>>"\r
47 \r
48 @}*/\r