This article teaches you how to use C code to parse a network data packet?

[[416402]]

The purpose of this article is to randomly intercept a network data packet and then parse this memory according to the protocol type.

Basic knowledge you need to master to study this article:

1. Network Protocol
2. C
3. Linux Operation
4. Use of packet capture tools

The installation and use of the packet capture tool are as follows:

"Learn how to capture network data in one article"

The video tutorial link is as follows:

"Teach you how to capture data packets on the network! Essential skills for hackers"

1. Intercept a network data packet

Use the packet capture tool to randomly capture a TCP data packet

The data packet information parsed by the Collet packet capture tool is as follows:

Memory information of the data packet:

The data information can be copied directly:

2. Structures used

Next, I will teach you step by step how to parse the information of these data packets.

We can find the definition of the protocol header from the Linux kernel

Ether Header:

 drivers\staging\rtl8188eu\include\if_ether.h

 struct ethhdr {
 unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
 unsigned char h_source[ETH_ALEN]; /* source ether addr */
 unsigned short h_proto; /* packet type ID field */
 };

IP header

 include_uapi_linux_ip.h

 struct iphdr {
 #if defined(__LITTLE_ENDIAN_BITFIELD) //little endian mode
 __u8 ihl:4,
 version:4;
 #elif defined(__BIG_ENDIAN_BITFIELD) //Big endian mode
 __u8 version:4,
 ihl:4;
 #endif
 __u8 tos;
 __u16 tot_len;
 __u16 id;
 __u16 frag_off;
 __u8 ttl;
 __u8 protocol;
 __u16 check ;
 __u32 saddr;
 __u32 daddr;
 /*The options start here. */
 };

TCP header

 include_uapi_linux_tcp.h

 struct tcphdr {
 __be16 source;
 __be16 dest;
 __be32 seq;
 __be32 ack_seq;
 #if defined(__LITTLE_ENDIAN_BITFIELD)
 __u16 res1:4,
 doff:4,
 fin:1,
 syn:1,
 rst:1,
 psh:1,
 ack:1,
 urg:1,
 ece:1,
 cwr:1;
 #elif defined(__BIG_ENDIAN_BITFIELD)
 __u16 doff:4,
 res1:4,
 cwr:1,
 ece:1,
 urg:1,
 ack:1,
 psh:1,
 rst:1,
 syn:1,
 fin:1;
 # else  
 #error "Adjust your <asm/byteorder.h> defines"  
 #endif
 __be16 window;
 __sum16 check ;
 __be16 urg_ptr;
 };

Because the protocol header length is defined according to the standard protocol,

So the Ethernet length is 14, the IP header length is 20, and the TCP header length is 20.

The memory space corresponding to each protocol header is as follows:

3. Parsing the Ethernet Header

 #define MAC_ARG(p) p[0],p[1],p[2],p[3],p[4],p[5]

 struct ethhdr *ethh;
 unsigned char *p = pkt; 
  
 ethh = (struct ethhdr *)p; 
 
 printf( "h_dest:%02x:%02x:%02x:%02x:%02x:%02x \n" , MAC_ARG(ethh->h_dest));
 printf( "h_source:%02x:%02x:%02x:%02x:%02x:%02x \n" , MAC_ARG(ethh->h_source));
 printf( "h_proto:%04x\n" ,ntohs(ethh->h_proto));

• Note that the data in the data packet is in network byte order. If you want to extract data, you must pay attention to the byte order. ethh->h_proto is a short type, which occupies 2 bytes, so you need to use the function ntohs to store it locally.
• n：network network byte order
• h: host host byte order
• s: short 2 bytes l:
• long 4 bytes
• ntohl(): Convert 4-byte network byte order data to host byte order
• htons() : Convert 2-byte host byte order data to network byte order
• ntohs() : Convert 2-byte network byte order data to host byte order
• htonl() : Convert 4-byte host byte order data to network byte order

When executing the following statement,

 ethh = (struct ethhdr *)p;

The member correspondence of the structure pointer variable eth is as follows:

The final print result is as follows:

4. Parsing IP header

The idea of ​​parsing the IP header is very simple.

That is, you can find the IP header by offsetting the Ethernet header length (14 bytes) from the pkt header.

The parsing code is as follows:

 #define IP_ARG(p) p[0],p[1],p[2],p[3]

 /*
 Parsing IP header
 */
 if(ntohs(ethh->h_proto) == 0x0800)
 { 
 
 iph = (struct iphdr *)(p + sizeof(struct ethhdr)); 
 
 q = (unsigned char *)&(iph->saddr);
 printf( "src ip:%d.%d.%d.%d\n" ,IP_ARG(q)); 
 
 q = (unsigned char *)&(iph->daddr);
 printf( "dest ip:%d.%d.%d.%d\n" ,IP_ARG(q));
 }

IiP

The final analysis results are as follows:

It can be seen that we have correctly parsed the IP address, and the result is consistent with the data analyzed by the packet capture tool.

The protocol field indicates the protocol type following the IP protocol. Common values ​​are as follows:

5. Parsing TCP header

The idea of ​​finding the TCP header is very simple.

That is, you can find the TCP header by offsetting the Ethernet header length (14 bytes) and the IP header length (20 bytes) from the pkt header.

 switch(iph->protocol)
 {
 case 0x1:
 //icmp
 break;
 case 0x6:
 //tcp
   tcph = (struct tcphdr *)(p + sizeof(struct ethhdr) + sizeof(struct iphdr));
   printf( "source:%d dest:%d \n" ,ntohs(tcph->source),ntohs(tcph->dest); 
 
 break;
 case 0x11:
 //udp 
    
 break;
 }

Correspondence between structure and memory

The print results are as follows:

6. Learn to print this memory in different formats

In actual projects, we may not parse standard TCP/IP protocol packets.

It may be our own defined protocol data packet,

Once you have mastered the above methods,

All protocol analysis is at your fingertips!

Sometimes we also need to print the content of the data frame sent by the other party.

Often we print out all the data in hexadecimal format.

This is most conducive to our analysis of data content.

1. Print by bytes

The code is as follows:

 for (i=0;i<400;i++)
 {
 printf( "%02x " ,pkt[i]);
 if(i%20 == 19)
 {
 printf( "\n" );
 }
 }

2. Analyze a section of memory by short type

When we receive data, although we use an unsigned char array,

But sometimes the data sent by the other party may be an array of 2 bytes.

Then we just need to use a short pointer to point to the head of the memory.

Then you can access the data sent by the other party through this pointer.

At this time, you must pay attention to the byte order problem.

Different scenarios may be different, so we must analyze specific issues specifically.

In this example, network byte order data is converted into host byte order.

So the byte order needs to be converted.

 //Convert short byte order
 void indian_reverse(unsigned short arr[], int num)
 {
 int i;
 unsigned short temp ; 
 
 for (i=0;i<num;i++)
 {
 temp = 0; 
 
 temp = (arr[i]&0xff00)>>8;
 temp |= (arr[i]&0xff)<<8;
 arr[i] = temp ;
 }
 }
 main()
 {
 unsigned short spkt[200]; 
  
 ………………
 memcpy(spkt,pkt,sizeof(pkt)); 
 
 indian_reverse(spkt,ARRAY_SIZE(spkt)); 
  
 for (i=0;i<200;i++)
 {
 printf( "%04x " , spkt[i]);
 if(i%10 == 9)
 {
 printf( "\n" );
 }
 }
 ………………
 }

The results are as follows:

Please contact Yikou Linux public account for reprinting this article.