中南大學(xué)網(wǎng)絡(luò)安全課外試驗報告嗅探與欺騙

1、中南大學(xué)CENTRAL SOUTH UNIVERSITYSEED PROJECTZ實驗報告學(xué)生姓名孫毅學(xué) 號指導(dǎo)教師王偉平學(xué) 院信息科學(xué)與工程專業(yè)班級信息安全1401成時間2016.12目錄 TOC o 1-5 h z HYPERLINK l bookmark6 o Current Document 一、實驗原理1 HYPERLINK l bookmark8 o Current Document 二、實驗器材1 HYPERLINK l bookmark10 o Current Document 三、實驗步驟及運行結(jié)果1Taskl.編寫嗅探程序1Task2.包欺騙3Task3：綜合使用4 HYP

2、ERLINK l bookmark22 o Current Document 四、附件4Task15Task213Task317IISniffing_Spoofing一、實驗原理Sniffing就是一種能將本地網(wǎng)卡狀態(tài)設(shè)成混雜狀態(tài)的模式，當(dāng)網(wǎng)卡處于這 種“混雜”方式時，該網(wǎng)卡具備“廣播地址”，它對遇到的每一個幀都產(chǎn)生一個硬件 中斷以便提醒操作系統(tǒng)處理流經(jīng)該物理媒體上的每一個報文包。（絕大多數(shù)的網(wǎng)卡具 備置成混雜模式的能力）一般來說，sniffing和poofing會聯(lián)合起來使用。當(dāng)攻擊者嗅探到關(guān)鍵信息時， 通常會使用poofing技術(shù)來構(gòu)造數(shù)據(jù)包來劫持會話或者去獲取更多信息，通常會造成 很大的

3、危害。Poofing技術(shù)就是攻擊者自己構(gòu)造數(shù)據(jù)包的ip/tcp數(shù)據(jù)包幀頭部數(shù)據(jù)來 達到自己的目的。本次實驗就是基于以上原理，在linux下模擬整個過程。二、實驗器材Ubuntu12.04。Wireshark等常用捕包工具。三、實驗步驟及運行結(jié)果Taskl.編寫嗅探程序嗅探程序可以很容易地使用pcap庫。利用PCAP,嗅探器的任務(wù)變得在pcap 庫調(diào)用一系列簡單的程序。在序列結(jié)束時，數(shù)據(jù)包將被放置在緩沖區(qū)中，以進一步處 理，只要它們被捕獲。所有的數(shù)據(jù)包捕獲的細節(jié)由pcap庫處理。Tim Carstens寫了一 個教程如何使用pcap庫寫的嗅探程序。1：深入理解并可以編寫嗅探程序。2：編寫過濾器。

4、請為您的嗅探程序捕捉每個寫過濾表達式如下。在你的實驗報告，你需要包括screendumps顯示應(yīng)用這些過濾器的結(jié)果。捕獲ICMP數(shù)據(jù)包。捕獲TCP數(shù)據(jù)包有一個目的端口范圍從端口 10 -100。運行結(jié)果如下:2016年12月 11日 08:59 seedubuntu:gcc -o device sniff -Lpcdp2016年12月11日 09:00 seedubuntu:$ sudo ./devicesudo password for seed:sniffex - Sniffer example using libpcapCopyright (c) 2005 The Tcpdump Gro

5、up THERE IS ABSOLUTELY NO WARRANTY FDR THIS PROGRAM.Device: ethoNunber of packets1 10Filte expression: ipPacket number 1:From: 192,168.129.132To： 128x230 x208.76Protocol: TCPSrc porti 40021Dst portt 80Packet number 2:From: 32TO： 6Protocol: TCPSrc port: 4(9322-vn ttlariWrtJiirTT七Puiiwcii u I v II111口

6、口人1Packet number 5:F rom : 192.16B .129.132Protocol: ICPSrc port: 40021Dst port: 80Payload (369 bytes): 0047 45 54 2Q 2f 7e77O0O1GQQQ3200064& a 9 e fo/6 e d 3 5 6 0 7 6 5 1 e 7 6 3 2 6 f e 3 1 5 2 7 4 2 1 9 d 6 3 6 2 1 f 3 2 267 c a e s & s 2 6Dst port: 80Payload (369 bytes): 0047 45 54 2Q 2f 7e77O0

7、O1GQQQ3200064& a 9 e fo/6 e d 3 5 6 0 7 6 5 1 e 7 6 3 2 6 f e 3 1 5 2 7 4 2 1 9 d 6 3 6 2 1 f 3 2 267 c a e s & s 2 6C 4 O 2 b 3 S r 4 /oaiii7220O12B36310014432330017669 6e70 6c 693a 32 33 2e 303Q 30 31 30 312e 30 ad Oa 412f 78 68 363 61 74 69002240024030 2e 39 2c 2a63 63 65 70 7465 6e 2d 55 532-F 2

8、a2d 4c2c 65s e8248s903cdrbl e6 2 4 7 7 s 7 2 2 6 2 6 6 3 6 6f=4，3c eo2f54odle a 2 s 7 7 6 6 2 3 2 6 7 7 3 4 2 0 4475c5bf 8 4111a ad 6 s 7 s 6 7 3 2 7 7 6 6 7 0 5 o 5 8 7 a 9 2 6 f f 0 3 U b d s s 6 4 7 0 6 6 3 6 6 2 6 2 3 o 6 3 5art-da58b6a9cc87& & 2 2 0 7 s s ft 6 s .& 6 & s 6 2 3C S5f a6 354cddel0

9、 / 6 3 7 6 2 3 6 6 7 6 6 6 2 6 3 f d 4 4 d b 9 5 2 0 a 8 8 A- 5 d 2 6 7 6 4 3 6 6 7 7 7 7 7 3 7 3 5 4 3sol07950bfd71 7776 2324 6 6 7223 6 7 4feea8a631ceaeb 6 6 6 2 3 3 7 z 4 6 6 6 6 7 6 3GET /-wedu/seed/ lab env.html HTT P/l * 1 * . Host: HWUJ * cis . syr * edu . * Lis er-Agent: Moztl_l a/5.0 (Xll-

10、Ubun tu; Linux 1686- rv:23.Qy Gecko/2 oiaeiai f= trefox/ 23.0.*Accept: te xt/html j, appltcat ton/xhtml+xmlap plication/xmL;q_ Q.9 a*/*:q=0.8. .A ccept-Language: en- US.en：q=0.5. *I 13% I 管41 ( 1 1 i，bfbB W W 441 w IF i W，在程序中預(yù)設(shè)捕獲10個數(shù)據(jù)包，當(dāng)捕獲數(shù)據(jù)包之后會將數(shù)據(jù)包進行處理，會下 顯示數(shù)據(jù)包的類型，還有數(shù)據(jù)包的源ip和目的ip,源端口和目的端口，當(dāng)有數(shù)據(jù)時 還會顯

11、示數(shù)據(jù)。對于任務(wù)一的2,主要是修改filter中的過濾條件，要實現(xiàn)只捕獲ICMP類型的數(shù) 據(jù)包，只需要將char filter_exp = ip中的ip改為ICMP，然后要捕獲端口在10-100 之間的tcp數(shù)據(jù)包，同理，將這條語句中的條件改為tcp and dst portrange 10-100即 可。Task2.包欺騙在正常的情況下，當(dāng)一個用戶發(fā)送一個數(shù)據(jù)包時，操作系統(tǒng)通常不允許用戶設(shè) 置所有的在協(xié)議頭字段（如TCP, UDP,和IP報頭）。操作系統(tǒng)將大部分的領(lǐng)域，而 只允許用戶設(shè)置幾個字段，如目標(biāo)IP地址、目標(biāo)端口號等。但是當(dāng)用戶有有root權(quán) 限，他們可以在數(shù)據(jù)包標(biāo)頭設(shè)置為任意字段。

12、這就是所謂的包欺騙，它可以通過原始 套接字完成。原始套接字給程序員的數(shù)據(jù)包結(jié)構(gòu)的絕對控制，允許程序員構(gòu)建任何任意的數(shù) 據(jù)包，包括設(shè)置頭字段和有效載荷。使用原始套接字是相當(dāng)簡單的，它包括四個步驟： （1）創(chuàng)建一個原始套接字，（2）設(shè)置套接字選項，（3）構(gòu)建數(shù)據(jù)包，和（4）通過原 始套接字發(fā)送數(shù)據(jù)包。有許多在線教程，可以教你如何使用原始套接字在C編程。我 們已經(jīng)把一些教程與實驗室的網(wǎng)頁聯(lián)系起來了。請閱讀它們，并學(xué)習(xí)如何寫一個 spoonfing程序包。我們展示了一個簡單的的程序。運行結(jié)果如下:0 Terminal2016年 12月口日 09:31 seedubuntu:5 side ./proof

13、 127.1-1.1 234 193.123.123.il 80sudo password for seed:socket。 - Using SOCK_RAH socket and UDP protocol is OK.setsockopt() is OK.TyingUsing raw socket and UDP protocolUsing Source IF: 127,1.1,1 part: 234, Target IP: 193,123.123.11 port: 80.Count #1 - sendtof) is DK.Count #2 - sendtof) is OK.Count #3

14、 - sendto() is OKiCount 用4 - sendto() is OK*Count #5 - sendto() is OK.Count #6 - sendto() is OK.可以看到成功向1的80端口發(fā)送了偽造的的源IP為且端 口的234的數(shù)據(jù)包，這就實現(xiàn)包欺騙的過程。Task3：綜合使用在這個任務(wù)中，你將嗅探和欺騙技術(shù)實現(xiàn)連接，并實現(xiàn)程序。你需要在同一局 域網(wǎng)兩虛擬機。從VMA ping另一個VM的IP，這將產(chǎn)生一個ICMP回送請求報文。 如果X是活著的，ping程序?qū)⑹盏揭粋€回音答復(fù)，并打印出響應(yīng)。你嗅探到數(shù)據(jù)包然 后偽造程序運行在虛擬機B、監(jiān)控網(wǎng)絡(luò)數(shù)據(jù)包嗅探。每當(dāng)它看到

15、ICMP回送請求，不 管目標(biāo)IP地址是什么，你的程序應(yīng)該立即發(fā)出回聲應(yīng)答數(shù)據(jù)包欺騙技術(shù)的使用。因 此，考慮到機器X是否是活的，這個程序?qū)⒖偸鞘盏揭粋€回復(fù)，這表明X是活的。 你要寫這樣一個程序，包括在你顯示你的程序的工作報告screendumps。請在你的報 告中附上代碼。、附件Taskl#define APP_NAMEsniffex#define APP_DESCSniffer example using libpcap#define APP_COPYRIGHT Copyright (c) 2005 The Tcpdump Group#define APP_DISCLAIMER THERE I

16、S ABSOLUTEIY NO WARRANTY FOR THIS PROGRAM.#include #include #include #include #include #include #include #include #include #include /* default snap length (maximum bytes per packet to capture) */#define SNAP_LEN 1518/* ethernet headers are always exactly 14 bytes 1 */#define SIZE_ETHERNET 14/* Ether

17、net addresses are 6 bytes */#define ETHER_ADDR_LEN 6/* Ethernet header */ struct sniff_ethernet u_char ether_dhostETHER_ADDR_LEN;/* destination host address */u_char ether_shostETHER_ADDR_LEN;/* source host address */u_short ether_type;/* IP? ARP? RARP? etc */)；/* IP header */ struct sniff_ip u_char

18、 ip_vhl;/* version 2 */u_char ip_tos;u_short ip_len;u_char ip_tos;u_short ip_len;u_short ip_id;u_short ip_off;#define IP_RF 0 x8000#define IP_DF 0 x4000#define IP_MF 0 x2000#define IP_OFFMASK 0 x1fff u_char ip_ttl;u_char ip_p;u_short ip_sum;struct in_addr ip_src,ip_dst;/* total length */* identifica

19、tion */* fragment offset field */* reserved fragment flag */* dont fragment flag */* more fragments flag */* mask for fragmenting bits */* time to live */* protocol */* checksum */* source and dest address */);#define IP_HL(ip)#define IP_V(ip)(ip)-ip_vhl) & 0 x0f) /*與 15 );#define IP_HL(ip)#define I

20、P_V(ip)(ip)-ip_vhl) 4)/*ip_vhl 的各二進位全部右移 4 位*/* TCP header */ typedef u_int tcp_seq;struct sniff_tcp u_short th_sport;struct sniff_tcp u_short th_sport;u_short th_dport;tcp_seq th_seq;tcp_seq th_ack;u_char th_offx2;#define TH_OFF(th) u_char th_flags;#define TH_FIN 0 x01#define TH_SYN 0 x02#define TH

21、_RST 0 x04#define TH_PUSH 0 x08#define TH_ACK 0 x10#define TH_URG 0 x20#define TH_ECE 0 x40#define TH CWR 0 x80/* source port */* destination port */* sequence number */* acknowledgement number */* data offset, rsvd */(th)-th_offx2 & 0 xf0) 4)#defineTH_FLAGS#defineTH_FLAGS(TH_FINITH_SYNITH_RSTITH_AC

22、KITH_URGITH_ECEITH_CWR)/* window */u_short th_win;/* window */u_short th_sum;/* checksum */u_short th_urp;/* urgent pointer */)； voidgot_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet); voidprint_payload(const u_char *payload, int len);voidprint_hex_ascii_line(const u_ch

23、ar *payload, int len, int offset);voidprint_app_banner(void);voidprint_app_usage(void);void /*輸出相關(guān)信息*/ print_app_banner(void) (printf(%s - %sn, APP_NAME, APP_DESC);printf(%sn, APP_COPYRIGHT);printf(%sn, APP_DISCLAIMER);printf(n);return;)voidprint_app_usage(void) (printf(Usage: %s interface, APP_NAME

24、);printf(n);printf(Options:n);printf( interface Listen on for packets.n);printf(n);return;)void print_hex_ascii_line(const u_char *payload, int len, int offset) (int i;int gap;const u_char *ch;printf(%05d, offset);ch = payload;for(i = 0; i len; i+) printf(%02x , *ch);ch+;/* print extra space after 8

25、th byte for visual aid */if (i = 7)printf( );)/* print space to handle line less than 8 bytes */if (len 8)printf( );if (len 16) gap = 16 - len;for (i = 0; i gap; i+) printf( );)printf( );ch = payload;for(i = 0; i len; i+) if (isprint(*ch)printf(%c, *ch);elseprintf(.);ch+;)printf(n);return;)voidprint

26、_payload(const u_char *payload, int len)int len_rem = len;int line_width = 16;/* number of bytes per line */int line_len;int offset = 0;/* zero-based offset counter */const u_char *ch = payload;if (len = 0)return;if (len = line_width) print_hex_ascii_line(ch, len, offset);return;)for ( ; ) /* comput

27、e current line length */ line_len = line_width % len_rem;/* print line */print_hex_ascii_line(ch, line_len, offset);/* compute total remaining */ len_rem = len_rem - line_len;/* shift pointer to remaining bytes to print */ch = ch + line_len;/* add offset */offset = offset + line_width;/* check if we

28、 have line width chars or less */if (len_rem = line_width) /* print last line and get out */print_hex_ascii_line(ch, len_rem, offset); break;)return;)voidgot_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) static int count = 1;/* packet counter */* declare pointers to pa

29、cket headers */const struct sniff_ethernet *ethernet; /* The ethernet header 1 */,count);/* The IP header */* The TCP header */,count);/* The IP header */* The TCP header */* Packet payload */const struct sniff_tcp *tcp;const char *payload;int size_ip;int size_tcp;int size_payload;printf(nPacket num

30、ber %d:n count+;/* define ethernet header */ethernet = (struct sniff_ethernet*)(packet);/* define/compute ip header offset */ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);size_ip = IP_HL(ip)*4;if (size_ip ip_src);printf(To: %sn, inet_ntoa(ip-ip_dst);/* determine protocol */switch(ip-ip_p) case IPP

31、ROTO_TCP:printf( Protocol: TCPn);break;case IPPROTO_UDP:printf( Protocol: UDPn);return;case IPPROTO_ICMP:printf( Protocol: ICMPn);return;case IPPROTO_IP:printf( Protocol: IPn);10return;default:printf( Protocol: unknownn);return;)tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);size_tcp =

32、TH_OFF(tcp)*4;if (size_tcp th_sport);printf(Dst port: %dn, ntohs(tcp-th_dport);/* define/compute tcp payload (segment) offset */payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);/* compute tcp payload (segment) size */size_payload = ntohs(ip-ip_len) - (size_ip + size_tcp);/* Print pa

33、yload data; it might be binary, so dont just* treat it as a string.*/ if (size_payload 0) printf( Payload (%d bytes):n, size_payload);print_payload(payload, size_payload);) return;)int main(int argc, char *argv)char *dev = NULL;/* capture device name */pcap_t *handle;char filter_exp = ip; struct bpf

34、_program fp; bpf_u_int32 mask;pcap_t *handle;char filter_exp = ip; struct bpf_program fp; bpf_u_int32 mask;bpf_u_int32 net;int num_packets = 10;/* packet capture handle */* filter expression 3 */* compiled filter program (expression) */*子網(wǎng)掩碼*/* IP地址*/* number of packets to capture */11print_app_bann

35、er();/* check for capture device name on command-line */if (argc = 2) dev = argv1;)else if (argc 2) fprintf(stderr, error: unrecognized command-line optionsnn); print_app_usage();exit(EXIT_FAILURE);)else /* find a capture device if not specified on command-line */ dev = pcap_lookupdev(errbuf);if (de

36、v = NULL) fprintf(stderr, Couldnt find default device: %sn, errbuf);exit(EXIT_FAILURE);)/* get network number and mask associated with capture device */if (pcap_lookupnet(dev, &net, &mask, errbuf) = -1) fprintf(stderr, Couldnt get netmask for device %s: %sn, dev, errbuf);net = 0;mask = 0;)/* print c

37、apture info */printf(Device: %sn, dev);printf(Number of packets: %dn, num_packets);printf(Filter expression: %sn, filter_exp);/* open capture device */handle = pcap_open_live(dev, SNAP_LEN, 1, 1000, errbuf);if (handle = NULL) fprintf(stderr, Couldnt open device %s: %sn, dev, errbuf); exit(EXIT_FAILU

38、RE);)12/* make sure were capturing on an Ethernet device 2 */if (pcap_datalink(handle) != DLT_EN10MB) fprintf(stderr, %s is not an Ethernetn, dev);exit(EXIT_FAILURE);)if (pcap_compile(handle, &fp, filter_exp, 0, net) = -1) /*過濾表達式*/ fprintf(stderr, Couldnt parse filter %s: %sn,filter_exp, pcap_geter

39、r(handle);exit(EXIT_FAILURE);)if (pcap_setfilter(handle, &fp) = -1) fprintf(stderr, Couldnt install filter %s: %sn,filter_exp, pcap_geterr(handle);exit(EXIT_FAILURE);)pcap_loop(handle, num_packets, got_packet, NULL);pcap_freecode(&fp);pcap_close(handle);printf(nCapture complete.n);return 0;)Task2#in

40、clude#include#include#include#include#include#define PCKT_LEN 8192struct ipheader unsigned chariph_ihl:5, iph_ver:4;unsigned chariph_tos;unsigned short int iph_len;unsigned short int iph_ident;13unsigned char iph_flag;unsigned short int iph_offset;unsigned chariph_ttl;unsigned chariph_protocol;unsig

41、ned short int iph_chksum;unsigned intiph_sourceip;unsigned intiph_destip;);/ UDP headers structurestruct udpheader unsigned short int udph_srcport;unsigned short int udph_destport;unsigned short int udph_len;unsigned short int udph_chksum;);/ total udp header length: 8 bytes (=64 bits)/ Function for

42、 checksum calculation. From the RFC,/ the checksum algorithm is:/ The checksum field is the 16 bit ones complement of the ones/ complement sum of all 16 bit words in the header. For purposes of/ computing the checksum, the value of the checksum field is zero. unsigned short csum(unsigned short *buf,

43、 int nwords)/unsigned long sum;for(sum=0; nwords0; nwords-)sum += *buf+;sum = (sum 16) + (sum &0 xffff);sum += (sum 16);return (unsigned short)(sum);)/ Source IP, source port, target IP, target port from the command line arguments int main(int argc, char *argv)int sd;/ No data/payload just datagramc

44、har bufferPCKT_LEN;14/ Our own headers structuresstruct ipheader *ip = (struct ipheader *) buffer;struct udpheader *udp = (struct udpheader *) (buffer + sizeof(struct ipheader);/ Source and destination addresses: IP and port struct sockaddr_in sin, din;int one = 1;const int *val = &one;memset(buffer

45、, 0, PCKT_LEN);if(argc != 5) (printf(- Invalid parametersn);printf(- Usage %s n, argv0);exit(-1);)/ Create a raw socket with UDP protocolsd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);if(sd iph_ihl = 5;ip-iph_ver = 4;ip-iph_tos = 16; / Low delayip-iph_len = sizeof(struct ipheader) + sizeof(struct udphe

46、ader);ip-iph_ident = htons(54321);ip-iph_ttl = 64; / hopsip-iph_protocol = 17; / UDP/ Source IP address, can use spoofed address hereip-iph_sourceip = inet_addr(argv1);/ The destination IP addressip-iph_destip = inet_addr(argv3);/ Fabricate the UDP header. Source port number, redundantudp-udph_srcpo

47、rt = htons(atoi(argv2);/ Destination port numberudp-udph_destport = htons(atoi(argv4);udp-udph_len = htons(sizeof(struct udpheader);/ Calculate the checksum for integrityip-iph_chksum = csum(unsigned short *)buffer, sizeof(struct ipheader) + sizeof(struct udpheader);/ Inform the kernel do not fill u

48、p the packet structure. we will build our own.if(setsockopt(sd, IPPROTO_IP, IP_HDRINCL, val, sizeof(one) 0)(perror(setsockopt() error);exit(-1);)elseprintf(setsockopt() is OK.n);/ Send loop, send for every 2 second for 100 countprintf(Tryingn);printf(Using raw socket and UDP protocoln);16printf(Usin

49、g Source IP: %s port: %u, Target IP: %s port: %u.n, argv1, atoi(argv2), argv3, atoi(argv4);int count;for(count = 1; count iph_len, 0, (struct sockaddr *)&sin, sizeof(sin) 0) / Verify ( perror(sendto() error);exit(-1);) else ( printf(Count #%u - sendto() is OK.n, count); sleep(2);) ) close(sd); retur

50、n 0;)Task3#include #include #include #include #include #include #include #include #include #include /* default snap length (maximum bytes per packet to capture) */17#include #include #include #include #include #include #include #include #define APP_NAME sniffex#define APP_DESC Sniffer example using

51、libpcap#define APP_COPYRIGHT Copyright (c) 2005 The Tcpdump Group#define APP_DISCLAIMER THERE IS ABSOLUTELY NO WARRANTY FOR THIS PROGRAM.#define SNAP_LEN 1518/* ethernet headers are always exactly 14 bytes 1 */#defineSIZE_ETHERNET 14/* Ethernet addresses are 6 bytes */#define ETHER_ADDR_LEN 6/* Ethe

52、rnet header */char* dstip;char* srcip;struct sniff_ethernet /* destination host address */* source host address */* destination host address */* source host address */* IP? ARP? RARP? etc */u_char ether_shostETHER_ADDR_LEN; u_short ether_type;/* IP header */struct sniff_ip u_char ip_vhl;u_char ip_to

53、s;u_short ip_len;u_short ip_id;u_short ip_off;#define IP_RF 0 x8000#define IP_DF 0 x4000u_char ip_vhl;u_char ip_tos;u_short ip_len;u_short ip_id;u_short ip_off;#define IP_RF 0 x8000#define IP_DF 0 x4000#define IP_MF 0 x2000#define IP OFFMASK 0 x1fffu_char u char甲P；u_short ip_sum;struct in_addr ip_sr

54、c,ip_dst;/* version 2 */* type of service */* total length */* identification */* fragment offset field */* reserved fragment flag */* dont fragment flag */* more fragments flag */* mask for fragmenting bits */* time to live */* protocol */* checksum */* source and dest address */18);#define IP_HL(i

55、p)#define IP_V(ip) typedef u_int tcp_seq; struct sniff_tcp u_short th_sport; u_short th_dport;tcp_seq th_seq; tcp_seq th_ack; u_char th_offx2;);#define IP_HL(ip)#define IP_V(ip) typedef u_int tcp_seq; struct sniff_tcp u_short th_sport; u_short th_dport;tcp_seq th_seq; tcp_seq th_ack; u_char th_offx2

56、;#define TH_OFF(th)(ip)-ip_vhl) 4)/* TCP header */* source port */* destination port */* sequence number */* acknowledgement number */* data offset, rsvd */(th)-th_offx2 & 0 xf0) 4)u_char th_flags;#define TH_FIN 0 x01#define TH_SYN 0 x02#define TH_RST 0 x04#define TH_PUSH 0 x08#define TH_ACK 0 x10#d

57、efine TH_URG 0 x20#define TH_ECE 0 x40#define TH_CWR 0 x80#defineTH_FLAGS(TH_FINITH_SYNITH_RSTITH_ACKITH_URGITH_ECEITH_CWR)u_short th_win;/* window */u_short th_sum;/* checksum */u_short th_urp;/* urgent pointer */);void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet

58、);void print_payload(const u_char *payload, int len);void print_hex_ascii_line(const u_char *payload, int len, int offset);void print_app_banner(void);void print_app_usage(void);/* * app name/banner */void print_app_banner(void)printf(%s - %sn, APP_NAME, APP_DESC);printf(%sn, APP_COPYRIGHT);printf(%

59、sn, APP_DISCLAIMER);printf(n);19return;/* * print help text */void print_app_usage(void)printf(Usage: %s interfacen, APP_NAME);printf(n);printf(Options:n);printf( interface Listen on for packets.n);printf(n);return;/* * print data in rows of 16 bytes: offset hex ascii * * 0000047 45 54 20 2f20 48 54

60、 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1. */void print_hex_ascii_line(const u_char *payload, int len, int offset)int i;int gap;const u char *ch; /* offset */printf(%05d, offset); /* hex */ch = payload;for(i = 0; i len; i+) printf(%02x , *ch);ch+;/* print extra space after 8 th byte for visual aid */