抓包技术是怎么样运行的,他有什么样作用?

2024年11月15日 12:22
有3个网友回答
网友(1):

PcapOpen()有下面几个方法

PcapOpen()
PcapOpen(bool promiscuous_mode)
PcapOpen(bool promiscuous_mode, int read_timeout)
promiscuous_mode:在普通的抓取模式下,我们只抓取那些目的地为目标网络的包,而处于promiscuous_mode时,则抓取所有的包,包括转发的包.通常我们都是开启这种模式的
//Extract a device from the list

PcapDevice device = devices[i];

//Register our handler function to the

//''packet arrival'' event

device.PcapOnPacketArrival +=

new SharpPcap.PacketArrivalEvent(device_PcapOnPacketArrival);

//Open the device for capturing

//true -- means promiscuous mode

//1000 -- means a read wait of 1000ms

device.PcapOpen(true, 1000);

Console.WriteLine(

"-- Listenning on {0}, hit ''Enter'' to stop...",

device.PcapDescription);

//Start the capturing process

device.PcapStartCapture();

//Wait for ''Enter'' from the user.

Console.ReadLine();

//Stop the capturing process

device.PcapStopCapture();

//Close the pcap device

device.PcapClose();

PcapStartCapture()对应PcapStopCapture()

使用PcapCapture(int packetCount)时我们可以使用SharpPcap.INFINITE,来达到持续抓包的功能

Note:通常CRC的数据是不在数据包的中的,因为通常错误的CRC包会被自动丢弃.

上面的需要注册一个event handle,这在很多时候是不可行的,所以我们推荐使用下面这个方法PcapGetNextPacket()

//Extract a device from the list

PcapDevice device = devices[i];

//Open the device for capturing

//true -- means promiscuous mode

//1000 -- means a read wait of 1000ms

device.PcapOpen(true, 1000);

Console.WriteLine();

Console.WriteLine("-- Listenning on {0}...",

device.PcapDescription);

Packet packet = null;

//Keep capture packets using PcapGetNextPacket()

while( (packet=device.PcapGetNextPacket()) != null )

...{

// Prints the time and length of each received packet

DateTime time = packet.PcapHeader.Date;

int len = packet.PcapHeader.PacketLength;

Console.WriteLine("{0}:{1}:{2},{3} Len={4}",

time.Hour, time.Minute, time.Second,

time.Millisecond, len);

}

//Close the pcap device

device.PcapClose();

Console.WriteLine("-- Capture stopped, device closed.");

PcapSetFilter() 设置过滤条件

string filter = "ip and tcp";
device.PcapSetFilter( filter );

下面这个例子通过抓取TCP包,输出他们的时间,长度,源IP,源端口,目的IP,目的端口

/**////



/// Prints the time, length, src ip,

/// src port, dst ip and dst port

/// for each TCP/IP packet received on the network

///


private static void device_PcapOnPacketArrival(

object sender, Packet packet)

...{

if(packet is TCPPacket)

...{

DateTime time = packet.Timeval.Date;

int len = packet.PcapHeader.len;

TCPPacket tcp = (TCPPacket)packet;

string srcIp = tcp.SourceAddress;

string dstIp = tcp.DestinationAddress;

int srcPort = tcp.SourcePort;

int dstPort = tcp.DestinationPort;

Console.WriteLine("{0}:{1}:{2},

...{3} Len=...{4} ...{5}:...{6} -> ...{7}:...{8}",

time.Hour, time.Minute, time.Second,

time.Millisecond, len, srcIp, srcPort,

dstIp, dstPort);

}

}

网友(2):

大多数的抓包程序基于开源的WinPcap的程序抓包,但基于WinPcap的程序在抓包性能上较低,在千兆网速下,最多只能达到500Mbps左右,因此很多专业的抓包设备都会用硬件来实现,比如高速采集卡

应用层
DHCP �6�1 DNS �6�1 FTP �6�1 Gopher �6�1 HTTP �6�1 IMAP4 �6�1 IRC �6�1 NNTP �6�1

XMPP �6�1 POP3 �6�1 SIP �6�1 SMTP �6�1 SNMP �6�1 SSH �6�1 TELNET �6�1 RPC �6�1 RTP

�6�1 RTCP �6�1 RTSP �6�1 TLS/SSL �6�1 SDP �6�1 SOAP �6�1 BGP �6�1 PPTP �6�1 L2TP �6�1

GTP �6�1 STUN �6�1 NTP
exe程序,

比如ie

表示层
MIME, XDR, SSL, TLS (Not a separate layer)
ws2_32.dll

会话层
Sockets. Session establishment in TCP. SIP. (Not a separate

layer with standardized API.)
SPI

传输层
TCP �6�1 UDP �6�1 DCCP �6�1 SCTP �6�1 RSVP
TDI(不能

截获ICMP

等协议的

数据)

网络层
IP (IPv4 �6�1 IPv6) �6�1 IGMP �6�1 ICMP �6�1 OSPF �6�1 ISIS �6�1 IPsec �6�1 ARP �6�1

RARP �6�1 RIP
NDIS(可以

截获所有

的网络数

据)

链路层
802.11 �6�1 WiFi �6�1 WiMAX �6�1 ATM �6�1 DTM �6�1 Token Ring �6�1 Ethernet �6�1

FDDI �6�1 Frame Relay �6�1 GPRS �6�1 EVDO �6�1 HSPA �6�1 HDLC �6�1 PPP
设备驱动

物理层
Ethernet physical layer �6�1 ISDN �6�1 Modems �6�1 PLC �6�1 SONET/SDH �6�1

G.709 �6�1 OFDM �6�1Optical Fiber �6�1 Coaxial Cable �6�1 Twisted Pair
网卡

网友(3):

网络抓包的方法有:

原始套接字RAW_SOCK

WinPcap: The Windows Packet Capture Library

Winsock Service Provider Interface (SPI)

Api Hook

DDK - Windows Driver Development Kit:Filter-Hook Drivers、Firewall-Hook Drivers , NDIS,TDI
现有的各类抓包软件,例如:IRIS,SNIFFER等都是通过把网卡设定为混杂模式来实现将流过的所有数据包都一一捕获。

如果网络是由HUB组成的,则我们可以看到网络中发到任何主机的数据。

但是如果是由交换机组成的就不同了,由于交换机是基于MAC地址来实现帧的转发,源与目的主机间的数据包是单点投送不会被其他接口接收到,因此必须使用ARP欺骗或者端口镜像才能在这种网络中看到想要侦听的数据