WinPcap下的主要結構體和主要函數(shù)

structpcap_if_t（稱為網(wǎng)絡設備結構，表示一個網(wǎng)絡接口設備（如網(wǎng)卡））結構體包含以下5個域（其結構體與pcap_if相同，可以用pcap_if_t代替pcap_if）:structpcap_if{structpcap_if*next;char*name;/*nametohandto"pcap_open_live（）"*/char"description;/*textualdescriptionofinterface,orNULL*/structpcap_addr*addresses;bpf_u_int32flags;/*PCAP_IF_interfaceflags*/}；Structpcap_addr:RepresentationofaninterfaceaddressStructpcap_addr:Representationofaninterfaceaddress（表示接口地址）Structpcap_addr{structpcap_addr*next:ifnotNULL,apointertothenextelementinthelist;NULLforthelastelementofthelist（指向下一個元素的指針）structsockaddr*addrapointertoastructsockaddrcontaininganaddressstructsockaddr*netmaskifnotNULL,apointertoastructsockaddrthatcontainsthenetmaskcorrespondingtotheaddresspointedtobyaddr.structsockaddr*broadaddrifnotNULL,apointertoastructsockaddrthatcontainsthebroadcastaddresscorre?spondingtotheaddresspointedtobyaddr;maybenulliftheinterfacedoesn'tsupportbroadcastsstructsockaddr*dstaddrifnotNULL,apointertoastructsockaddrthatcontainsthedestinationaddresscorre?spondingtotheaddresspointedtobyaddr;maybenulliftheinterfaceisn'tapoint-to-pointinterface}2pcap_ifIteminalistofinterfaces,usedbypcapfindalldevs。.（接口設備列表的一項（一個設備，比如一個網(wǎng)卡））Definitionatline148offileincs/.Structpcap_if{structpcap_if*nextifnotNULL,apointertothenextelementinthelist;NULLforthelastelementofthelistchar*namechar*nameapointertoastringgivinganameforthedevicetopasstopcap_open_live（）char*descriptionifnotNULL,apointertoastringgivingahuman-readabledescriptionofthedevicestructpcap_addr*addressesapointertothefirstelementofalistofaddressesfortheinterfaceu_intflagsPCAP_IF_interfaceflags.CurrentlytheonlypossibleflagisPCAP_IF_LOOPBACK,thatissetiftheinterfaceisaloopbackinterface.}結構體pcap_tDescriptorofanopencaptureinstance.Thisstructureisopaquetotheuser,thathandlesitscontentthroughthefunctionsprovidedby.（該結構體描述一個捕獲的實例（例如指向一個發(fā)現(xiàn)的網(wǎng)卡，稱為網(wǎng)卡描述符），其結構體在.h文件中看不到）結構體pcap_pkthdrEachpacketinthedumpfileisprependedwiththisgenericheader.（每一個分組都有不同的頭部，分組的頭部用該結構體表示）structpcap_pkthdr{structtimevalts;bpf_u_int32caplen;bpf_u_int32len;}ts：時間戳cpalen：當前分組的長度len：數(shù)據(jù)包的長度5.結構體sockaddr_in一般編程中使用，它與sockaddr等價的數(shù)據(jù)結構sockaddr_in（在中定義）：structsockaddr_in{};typedefstructin_addr{union{struct{unsignedchars_b1,s_b2,s_b3,s_b4;}S_un_b;struct{unsignedshorts_w1,s_w2;}S_un_w;unsignedlongS_addr;}S_un;}IN_ADDR;sin_family指代協(xié)議族，在socket編程中只能是AF_INETsin_port存儲端口號(使用網(wǎng)絡字節(jié)順序)sin_addr存儲IP地址，使用in_addr這個數(shù)據(jù)結構sin_zero是為了讓sockaddr與sockaddr_in兩個數(shù)據(jù)結構保持大小相同而保留的空字節(jié)。s_addr按照網(wǎng)絡字節(jié)順序存儲IP地址sockaddr_in和sockaddr是并列的結構，指向sockaddr_in的結構體的指針也可以指向sockadd的結構體，并代替它。也就是說，你可以使用sockaddr_in建立你所需要的信息在最后用進行類型轉換就可以了bzero((char*)&mysock,sizeof(mysock));intpcap_findalldevs(pcap_if_t**alldevsp,char*errbuf)pcapopenlive()打開這些設備Constructalistofnetworkdevicesthatcanbeopenedwithpcapopenlive().Note:thattheremaybenetworkdevicesthatcannotbeopenedwithpcapopenlive()bytheprocesscallingpcapfindalldevs(),because,forexample,thatprocessmightnothavesufficientprivilegestoopenthemforcapturing;ifso,thosedeviceswillnotappearonthelist.alldevspissettopointtothefirstelementofthelist;eachelementofthelistisoftypepcapift,-1isreturnedonfailure,inwhichcaseerrbufisfilledinwithanappropriateerrormessage;0isreturnedonsuccessvoidpcap_freealldevs(pcap_if_t*alldevsp)釋放由函數(shù)pcap_findalldevs()獲取的設備列表Freeaninterfacelistreturnedbypcap_findalldevs().pcap_freealldevs()isusedtofreealistallocatedbypcap_findalldevs().Seealso:pcap_findalldevs()pcap_t*pcap_open_live(constchar*device,0'pcapopenlive()isusedtoobtainapacketcapturedescriptortolookatpacketsonthenetwork.deviceisastringthatspecifiesthenetworkdevicetoopen;onLinuxsystemswithorlaterkernels,adeviceargumentof"any"orNULLcanbeusedtocapturepacketsfromallinterfaces.snaplenspecifiesthemaximumnumberofbytestocapture.Ifthisvalueislessthanthesizeofapacketthatiscaptured,onlythefirstsnaplenbytesofthatpacketwillbecapturedandprovidedaspacketdata.Avalueof65535shouldbesufficient,onmostifnotallnetworks,miscspecifiesiftheinterfaceistobeputintopromiscuousmode.(Notethatevenifthisparameterisfalse,theinterfacecouldwellbeinpromiscuousmodeforsomeotherreason.)Fornow,thisdoesn'tworkonthe"any"device;ifanargumentof"any"orNULLissupplied,thepromiscflagisignored.to_msspecifiesthereadtimeoutinmilliseconds.Thereadtimeoutisusedtoarrangethatthereadnotnecessarilyreturnimmediatelywhenapacketisseen,butthatitwaitforsomeamountoftimetoallowmorepacketstoarriveandtoreadmultiplepacketsfromtheOSkernelinoneoperation.Notallplatformssupportareadtimeout;onplatformsthatdon't,thereadtimeoutisignored.Azerovalueforto_ms,onplatformsthatsupportareadtimeout,willcauseareadtowaitforevertoallowenoughpacketstoarrive,withnotimeout.errbufisusedtoreturnerrororwarningtext.Itwillbesettoerrortextwhenpcapopenlive()failsandreturnsNULL.errbufmayalsobesettowarningtextwhenpcapopenlive()succeds;todetectthiscasethecallershouldstoreazero-lengthstringinerrbufbeforecallingpcapopenlive()anddisplaythewarningtotheuseriferrbufisnolongerazero-lengthstring.Seealso:pcapopenoffline(),pcapopendead(),pcapfindalldevs(),pcapclose()intpcap_datalink(pcap_t*p)返回鏈路層的類型，鏈路層的類型包括：DLT_NULLBSD回路封裝；鏈路層協(xié)議頭是一個4字節(jié)的域，以主機字節(jié)順序(hostbyteorder),包含一個從來的PF_value。主機字節(jié)順序(hostbyteorder)是捕獲數(shù)據(jù)包的機器的字節(jié)順序，而PF_value是捕獲數(shù)據(jù)包的機器的OS如果一個讀取一個文件，字節(jié)順序和PF_value不一定是抓取文件的那些機器。DLT_EN10MB以太網(wǎng)(10Mb,100Mb,1000Mb,或者更高)。DLT_IEEE802:令牌環(huán)網(wǎng)。DLT_ARCNETARCNETDLT_SLIP:SLIP。DLT_PPPPPP;如果第一個字節(jié)是0xff或0x03,它是類HDLC幀上的PPP。DLT_FDDI:FDDIDLT_ATM_RFC1483RFC1483LLC/SNAPATM數(shù)據(jù)包以LLC頭開始。DLT_RAW原始IP(rawIP);數(shù)據(jù)包以IP頭開始。DLT_PPP_SERIAL按照RFC1662,基于類HDLC^的PPP或者按照RFC1547的,基于HDLC^的CiscoPPP;前者的第一個字節(jié)是0xFF,后者的第一個字節(jié)是0x0F或0x8FoDLT_PPP_ETHER按照RFC2516,PPPoE數(shù)據(jù)包以PPPoE頭開始。DLT_C_HDLC按照RFC1547的4.3.1，基于HDLC#的CiscoPPP。DLT_IEEE802_11:IEEE無線局域網(wǎng)。DLT_FRELAY幀中繼(FrameRelay)。DLT_LOOPOpenBSD0路封裝。DLT_LINUX_SLLLinux抓包封裝。DLT_LTALK蘋果的LocalTalk,數(shù)據(jù)包以AppleTalkLLAP頭開始。DLT_PFLOGOpenBSDpflog。DLT_PRISM_HEADERB接頭的棱鏡監(jiān)視器模式(Prismmonitormode)信息。DLT_IP_OVER_FCRFC2625IP-over-Fiber頻道，以RFC2625中定義的Network_Header開始。DLT_SUNATMSunAT般備。DLT_IEEE802_11_RADIQ后接頭的鏈路層信息。DLT_ARCNET_LINUX沒有異常幀的ARCNETDLT_LINUX_IRDALinux-IrDA數(shù)據(jù)包，DLT_LINUX_SLL頭后接IrLAP頭intpcap_compile(pcap_t*p,structbpf_program*fp,char*str,intoptimize,bpf_u_int32netmask)(將str(如只捕獲ARP分組)中給出的分組類型，翻譯成內核認識的格式，該格式放到bpf_program*fp中)intpcap_setfilter(pcap_t*p,structbpf_program*fp)功能：設置過濾器一返回值：該函數(shù)返回值為0,表示成功；不成功，返回值＜0pcap_setfilter()把一個過濾器與核心驅動抓包會話關聯(lián)起來。一旦pcap_setfilter()被調用，相關的過濾器將被應用到所有的來自網(wǎng)絡的數(shù)據(jù)包上，并且所有的一致的數(shù)據(jù)包將被復制給應用程序。Associateafiltertoacapture.(使用bpf_program*fp格式，設置過濾器，只需要fp規(guī)定的格式)，該函數(shù)之前需要使用pcap_compile()pcapsefilter()isusedtospecifyafilterprogram.fpisapointertoabpf_programstruct,usuallytheresultofacalltopcapcompile().-1isreturnedonfailure,inwhichcasepcapgeterr()maybeusedtodisplaytheerrortext;0isreturnedonsuccess.Seealso:pcapcompile(),pcapcompilenopcap()intpcap_next_e