为什么我的程序报告捕获的数据包比 Wireshark 多?
Why is my program reporting more captured packets than Wireshark?
我正在使用 pcap 和 visual studio 编写数据包嗅探器。我已经获取了 offline capturing and combined it with code that looks for an interface and captures packets live. This is what I have to display the packets information gotten from 1.
的示例代码
while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
{
// Print using printf. See printf reference:
// http://www.cplusplus.com/reference/clibrary/cstdio/printf/
// Show the packet number
printf("Packet # %i\n", ++packetCount);
// Show the size in bytes of the packet
printf("Packet size: %d bytes\n", header->len);
// Show a warning if the length captured is different
if (header->len != header->caplen)
printf("Warning! Capture size different than packet size: %ld bytes\n", header->len);
// Show Epoch Time
printf("Epoch Time: %d:%d seconds\n", header->ts.tv_sec, header->ts.tv_usec);
// loop through the packet and print it as hexidecimal representations of octets
// We also have a function that does this similarly below: PrintData()
for (u_int i=0; (i < header->caplen ) ; i++)
{
// Start printing on the next after every 16 octets
if ( (i % 16) == 0) printf("\n");
// Print each octet as hex (x), make sure there is always two characters (.2).
printf("%.2x ", data[i]);
}
// Add two lines between packets
printf("\n\n");
}
我遇到的问题是,如果我 运行 WireShark 实时捕获以及 运行 我的程序,两者都实时捕获数据包,但 WireShark 将显示它正在捕获数据包 20 和 VS将显示 packetCount = 200。(注意:选择任意数字来显示 Wireshark 没有捕获很多数据包,但 VS 计数非常快。)
据我所知,似乎 while 循环只是 运行ning 比数据包进来快得多,所以它只是一遍又一遍地打印它收到的最后一个数据包的信息,直到一个新的一个进来。
我怎样才能让 VS 只在数据包进来时捕获它们?
我不知道 Visual Studio 包含数据包嗅探器;你是说 "how can I get my application, which I'm building with Visual Studio, to only capture packets as they come in?"
如果这就是你的意思,那么这就是你的代码正在做的事情。
不幸的是,不是做的是"checking whether a packet has actually come in"。
引用 pcap_next_ex() 的手册页(是的,UN*X,但这也适用于 Windows 和 WinPcap):
pcap_next_ex() returns 1 if the packet was read without problems,
0 if packets are being read from a live capture, and the timeout
expired, -1 if an error occurred while reading the packet, and -2
if packets are being read from a ``savefile'', and there are no
more packets to read from the savefile. If -1 is returned,
pcap_geterr() or pcap_perror() may be called with p as an argument
to fetch or display the error text.
强调“0,如果正在从实时捕获中读取数据包,并且超时已过期”; 0 表示您没有 收到数据包。
如果 pcap_next_ex() 返回 0,不要 表现得好像捕获了一个数据包,仅当它返回 1 时才这样做:
while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
{
if (returnValue == 1) {
// Print using printf. See printf reference:
// http://www.cplusplus.com/reference/clibrary/cstdio/printf/
// Show the packet number
printf("Packet # %i\n", ++packetCount);
...
// Add two lines between packets
printf("\n\n");
}
}
解决方案:显然,在参数周围添加括号可以解决问题。
while ( (( int returnValue = pcap_next_ex(pcap, &header, &data) ) >= 0 ) )
我正在使用 pcap 和 visual studio 编写数据包嗅探器。我已经获取了 offline capturing and combined it with code that looks for an interface and captures packets live. This is what I have to display the packets information gotten from 1.
的示例代码 while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
{
// Print using printf. See printf reference:
// http://www.cplusplus.com/reference/clibrary/cstdio/printf/
// Show the packet number
printf("Packet # %i\n", ++packetCount);
// Show the size in bytes of the packet
printf("Packet size: %d bytes\n", header->len);
// Show a warning if the length captured is different
if (header->len != header->caplen)
printf("Warning! Capture size different than packet size: %ld bytes\n", header->len);
// Show Epoch Time
printf("Epoch Time: %d:%d seconds\n", header->ts.tv_sec, header->ts.tv_usec);
// loop through the packet and print it as hexidecimal representations of octets
// We also have a function that does this similarly below: PrintData()
for (u_int i=0; (i < header->caplen ) ; i++)
{
// Start printing on the next after every 16 octets
if ( (i % 16) == 0) printf("\n");
// Print each octet as hex (x), make sure there is always two characters (.2).
printf("%.2x ", data[i]);
}
// Add two lines between packets
printf("\n\n");
}
我遇到的问题是,如果我 运行 WireShark 实时捕获以及 运行 我的程序,两者都实时捕获数据包,但 WireShark 将显示它正在捕获数据包 20 和 VS将显示 packetCount = 200。(注意:选择任意数字来显示 Wireshark 没有捕获很多数据包,但 VS 计数非常快。)
据我所知,似乎 while 循环只是 运行ning 比数据包进来快得多,所以它只是一遍又一遍地打印它收到的最后一个数据包的信息,直到一个新的一个进来。 我怎样才能让 VS 只在数据包进来时捕获它们?
我不知道 Visual Studio 包含数据包嗅探器;你是说 "how can I get my application, which I'm building with Visual Studio, to only capture packets as they come in?"
如果这就是你的意思,那么这就是你的代码正在做的事情。
不幸的是,不是做的是"checking whether a packet has actually come in"。
引用 pcap_next_ex() 的手册页(是的,UN*X,但这也适用于 Windows 和 WinPcap):
pcap_next_ex() returns 1 if the packet was read without problems,
0 if packets are being read from a live capture, and the timeout
expired, -1 if an error occurred while reading the packet, and -2
if packets are being read from a ``savefile'', and there are no
more packets to read from the savefile. If -1 is returned,
pcap_geterr() or pcap_perror() may be called with p as an argument
to fetch or display the error text.
强调“0,如果正在从实时捕获中读取数据包,并且超时已过期”; 0 表示您没有 收到数据包。
如果 pcap_next_ex() 返回 0,不要 表现得好像捕获了一个数据包,仅当它返回 1 时才这样做:
while (int returnValue = pcap_next_ex(pcap, &header, &data) >= 0)
{
if (returnValue == 1) {
// Print using printf. See printf reference:
// http://www.cplusplus.com/reference/clibrary/cstdio/printf/
// Show the packet number
printf("Packet # %i\n", ++packetCount);
...
// Add two lines between packets
printf("\n\n");
}
}
解决方案:显然,在参数周围添加括号可以解决问题。
while ( (( int returnValue = pcap_next_ex(pcap, &header, &data) ) >= 0 ) )