Find the answer to your Linux question:
Results 1 to 8 of 8
i am writing a piece of code in c using libcap libraries to separate individual connection packets into a separate file. i use pcap_dispatch(p, num_packets, got_packet, NULL); function and the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2009
    Posts
    5

    libcap programming


    i am writing a piece of code in c using libcap libraries to separate individual connection packets into a separate file.

    i use pcap_dispatch(p, num_packets, got_packet, NULL); function and the handler function is void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet, pcap_t *p) , but i am getting a warning: passing argument 3 of ‘pcap_dispatch’ from incompatible pointer type.

    can somebody help me

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,533
    Quote Originally Posted by Neminath View Post
    i am writing a piece of code in c using libcap libraries to separate individual connection packets into a separate file.

    i use pcap_dispatch(p, num_packets, got_packet, NULL); function and the handler function is void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet, pcap_t *p) , but i am getting a warning: passing argument 3 of ‘pcap_dispatch’ from incompatible pointer type.

    can somebody help me
    I have libcap and libcap-devel packages installed in my system, but I cannot find the headers. Where are they located, do you know?
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,533
    Quote Originally Posted by Rubberman View Post
    I have libcap and libcap-devel packages installed in my system, but I cannot find the headers. Where are they located, do you know?
    I found a linux man page for this on the net, and the signature for pcap_dispatch is:

    typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes);
    int pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user);

    The error you are getting says that the 3rd argument, the pcap_handler callback function pointer, is incorrect. You need to check the signature of that function. From what I see, you have added an additional argument on your handler, pcap_t *p. That's probably why it is giving this error.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  4. #4
    Just Joined!
    Join Date
    Apr 2009
    Posts
    5
    But got_packet is a function which i have definition

    i am posting my complete code here

    yes without that argument it works fine

    but i need that 4th argument in got_packet function for some additional processing

    basically i want to dump that packet to a file

    #include <pcap.h>
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    #include <ctype.h>
    #include <errno.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>


    /* default snap length (maximum bytes per packet to capture) */
    #define SNAP_LEN 65535

    /* ethernet headers are always exactly 14 bytes [1] */
    #define SIZE_ETHERNET 14

    /* Ethernet addresses are 6 bytes */
    #define ETHER_ADDR_LEN 6

    /* Ethernet header */
    struct sniff_ethernet {
    u_char ether_dhost[ETHER_ADDR_LEN]; /* destination host address */
    u_char ether_shost[ETHER_ADDR_LEN]; /* source host address */
    u_short ether_type; /* IP? ARP? RARP? etc */
    };

    /* IP header */
    struct sniff_ip {
    u_char ip_vhl; /* version << 4 | header length >> 2 */
    u_char ip_tos; /* type of service */
    u_short ip_len; /* total length */
    u_short ip_id; /* identification */
    u_short ip_off; /* fragment offset field */
    #define IP_RF 0x8000 /* reserved fragment flag */
    #define IP_DF 0x4000 /* dont fragment flag */
    #define IP_MF 0x2000 /* more fragments flag */
    #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */
    u_char ip_ttl; /* time to live */
    u_char ip_p; /* protocol */
    u_short ip_sum; /* checksum */
    struct in_addr ip_src,ip_dst; /* source and dest address */

    };

    struct sniff_icmp
    {
    u_char icmp_type;
    u_char icmp_code;
    u_short icmp_checksum;
    };
    #define IP_HL(ip) (((ip)->ip_vhl) & 0x0f)
    #define IP_V(ip) (((ip)->ip_vhl) >> 4)
    #define IP_Flag(ip) (((ip)->ip_off) & 0xD0)
    #define IP_off(ip) (((ip)->ip_off) & 0x1F)
    /* TCP header */
    typedef u_int tcp_seq;

    struct sniff_tcp {
    u_short th_sport; /* source port */
    u_short th_dport; /* destination port */
    tcp_seq th_seq; /* sequence number */
    tcp_seq th_ack; /* acknowledgement number */
    // tcp_seq th_syn;
    // tcp_seq th_fin;
    //tcp_seq th_urg;
    u_char th_offx2; /* data offset, rsvd */
    #define TH_OFF(th) (((th)->th_offx2 & 0xf0) >> 4)
    u_char th_flags;
    #define TH_FIN 0x01
    #define TH_SYN 0x02
    #define TH_RST 0x04
    #define TH_PUSH 0x08
    #define TH_ACK 0x10
    #define TH_URG 0x20
    #define TH_ECE 0x40
    #define TH_CWR 0x80
    #define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
    u_short th_win; /* window */
    u_short th_sum; /* checksum */
    u_short th_urp; /* urgent pointer */
    };
    struct sniff_udp {
    u_short udp_sport; /* source port */
    u_short udp_dport; /* destination port */
    u_short udp_hlen; /* Udp header length*/
    u_short udp_chksum; /* Udp Checksum */
    };

    char ADDRESS_PAIR[100];char PAIR_ADDRESS[100];
    char TCP_ACTIVE_ONE[100][100];
    char TCP_ACTIVE_TWO[100][100];
    char UDP_ACTIVE[100][100];
    char SOURCE_IP[20];
    char DEST_IP[20];
    unsigned short SOURCE_PORT;
    unsigned short DEST_PORT;
    char buf[5];
    char str[32];
    int tcp_active_count=0;
    int connet_count= 0;
    void got_packet( const struct pcap_pkthdr *header, const u_char *packet,pcap_t * p );
    char* convert_tostring( unsigned short val);


    FILE* outfile;

    void got_packet(const struct pcap_pkthdr *header, const u_char *packet,pcap_t * p)
    {
    const struct sniff_ethernet *ethernet; /* The ethernet header [1] */
    const struct sniff_ip *ip; /* The IP header */
    const struct sniff_tcp *tcp; /* The TCP header */
    // const char *payload; /* Packet payload */
    struct sniff_udp *udp; /* The Udp header */
    struct sniff_icmp *icmp; /* The ICMP header*/
    int size_ip;
    int size_tcp;
    int size_payload;
    int size_udp;

    /* define ethernet header */
    ethernet = (struct sniff_ethernet*)(packet);
    //printf("\nethernet header starts at %d",ethernet);
    /* define/compute ip header offset */
    ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
    //printf("\nip header starts at %d",ip);
    // printf("\ni m here %d",IP_HL(ip));
    size_ip = IP_HL(ip)*4;
    /*if (size_ip < 20) {
    printf(" * Invalid IP header length: %u bytes\n", size_ip);

    }*/
    /* print source and destination IP addresses */
    //printf("source address %s \n", inet_ntoa(ip->ip_src));
    //printf("dest address %s \n", inet_ntoa(ip->ip_dst));
    //printf("dest IP starts at %d",ip->ip_src);
    strcpy(SOURCE_IP , inet_ntoa(ip->ip_src));
    strcpy(DEST_IP ,inet_ntoa(ip->ip_dst));
    //printf("\n%d\n",ip->ip_p);
    switch(ip->ip_p)
    {
    case 6: //printf("i m here %d",size_ip);
    tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
    // printf("\n %d\n",(packet ));
    // printf("\n %d\n",(packet + SIZE_ETHERNET + size_ip));
    size_tcp = TH_OFF(tcp)*4;
    if (size_tcp < 20)
    {
    printf(" * Invalid TCP header length: %u bytes\n", size_tcp);
    return;
    }
    SOURCE_PORT = ntohs(tcp->th_sport);
    // printf("source port is %d\n",ntohs(tcp->th_sport));
    DEST_PORT = ntohs(tcp->th_dport);
    // printf("dest port is %d\n",ntohs(tcp->th_dport));
    ADDRESS_PAIR[0] ='\0';PAIR_ADDRESS[0]='\0';
    // printf("the sequence no is %u\n",tcp->th_seq);
    strcpy(ADDRESS_PAIR,SOURCE_IP);
    strcat(ADDRESS_PAIR,DEST_IP);
    strcpy(PAIR_ADDRESS,DEST_IP);
    strcat(PAIR_ADDRESS,SOURCE_IP);
    convert_tostring(SOURCE_PORT);
    strcat(ADDRESS_PAIR,str);
    convert_tostring(DEST_PORT);
    strcat(ADDRESS_PAIR,str);
    strcat(PAIR_ADDRESS,str);
    convert_tostring(SOURCE_PORT);
    strcat(PAIR_ADDRESS,str);
    printf("the address line for this packet is %s\n",ADDRESS_PAIR);
    printf("the address line for this packet is %s\n",PAIR_ADDRESS);
    if(((tcp->th_flags)&TH_SYN) == 2 )
    {
    int i;
    for(i=0;i<tcp_active_count;i++)
    {
    if(strcmp(TCP_ACTIVE_ONE[i],ADDRESS_PAIR)==0 )
    {
    break;
    }

    }
    // pcap_dumper_t * pc = pcap_dump_open(p, "outfile.tcpdump");
    //printf("file opened for writing");

    strcpy(TCP_ACTIVE_ONE[tcp_active_count],ADDRESS_PAIR);
    strcpy(TCP_ACTIVE_TWO[tcp_active_count++],PAIR_ADDRESS);
    //printf("\n%s",TCP_ACTIVE_ONE[tcp_active_count-1]);
    //printf("\n%s",TCP_ACTIVE_TWO[tcp_active_count-1]);
    printf("it is a SYN packet");

    }
    connet_count++;
    /* int i;
    for(i=0;i<tcp_active_count;i++)
    {
    if(strcmp(TCP_ACTIVE_ONE[i],ADDRESS_PAIR)==0 )
    {

    }
    }*/

    if(((tcp->th_flags)&TH_FIN) == 1 |((tcp->th_flags)&TH_RST) == 4 )
    {
    int i=0;
    for(i=0;i<tcp_active_count;i++)
    {
    if(strcmp(TCP_ACTIVE_ONE[i],ADDRESS_PAIR)==0 | strcmp(TCP_ACTIVE_TWO[i],ADDRESS_PAIR)==0 )
    {
    printf("connection ending here");
    printf("total number of packets in this connection %d", connet_count);
    exit(0);
    }
    }
    }

    break;
    /*case IPPROTO_UDP: udp = (struct sniff_udp*)(packet + SIZE_ETHERNET + size_ip);
    SOURCE_PORT = udp->th_sport;
    DEST_PORT = udp->th_dport;
    break; */
    default: break;
    }

    }
    char* convert_tostring( unsigned short val)
    {
    char revertedstr[32];
    int length=0;

    while (val > 0)
    {
    int a = val % 10;
    revertedstr[length++] = a | '0';
    val /= 10;
    }

    length--;
    int rev = 0;
    while (length >= 0)
    {
    str[rev++] = revertedstr[length--];
    }

    str[rev] = '\0';

    return str;
    }

    int main(int argc, char **argv)
    { long int num_packets=0;
    char filename[] = "/home/neminath/Desktop/1.tcpdump";
    FILE *file ;
    file= fopen(filename,"r");
    char *ebuf;
    pcap_t * p = pcap_fopen_offline(file, ebuf);
    num_packets = pcap_dispatch(p, num_packets, got_packet, NULL);
    return 0;
    }

  5. #5
    Just Joined!
    Join Date
    Apr 2009
    Posts
    5
    on my ubuntu box its here

    /usr/include/pcap.h

  6. #6
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,533
    The code is correct, but the last argument, "pcap_t* p", is unused as far as I can tell from reading the code. Remove it. FWIW, your compiler, if warnings are turned up, will complain about the unused argument; however, it first gave the error about the incorrect callback signature.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  7. #7
    Just Joined!
    Join Date
    Apr 2009
    Posts
    5
    yeah u r right there.

  8. #8
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,533
    I determined that I didn't have the developer version of the library installed, which is why my system didn't have /usr/include/pcap.h - a situation which I quickly rectified, and verified that the current version on CentOS/RHEL has defined the callback signature as I indicated previously. You simply need to remove that last argument from the function.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •