Wireshark - tshark支持iptables提供数据包

cf_status_t

cf_init_iptables(capture_file *cf,unsigned int type, gboolean is_tempfile, int *err)

{

  wtap  *wth;

  gchar *err_info;

  wth = iptables_get_wtap_init();

  /* The open succeeded.  Fill in the information for this file. */

  /* Create new epan session for dissection. */

  epan_free(cf->epan);

  cf->epan = tshark_epan_new(cf);

  cf->provider.wth = wth;

  cf->f_datalen = 0; /* not used, but set it anyway */

  /* Set the file name because we need it to set the follow stream filter.

     XXX - is that still true?  We need it for other reasons, though,

     in any case. */

  /* Indicate whether it's a permanent or temporary file. */

  cf->is_tempfile = is_tempfile;

  /* No user changes yet. */

  cf->unsaved_changes = FALSE;

  cf->cd_t      = WTAP_FILE_TYPE_SUBTYPE_PCAP;

  cf->open_type = type;

  cf->count     = 0;

  cf->drops_known = FALSE;

  cf->drops     = 0;

  cf->snap      = 262144;

  nstime_set_zero(&cf->elapsed_time);

  cf->provider.ref = NULL;

  cf->provider.prev_dis = NULL;

  cf->provider.prev_cap = NULL;

  cf->state = FILE_READ_IN_PROGRESS;

  wtap_set_cb_new_ipv4(cf->provider.wth, add_ipv4_name);

  wtap_set_cb_new_ipv6(cf->provider.wth, (wtap_new_ipv6_callback_t) add_ipv6_name);

  // 输出格式初始化

  write_preamble(cf);

  return CF_OK;

}

void running_get_pkt_from_nfqueue0(void)

{

struct nfq_handle *h;

struct nfq_q_handle *qh;

struct nfnl_handle *nh;

int fd;

int rv;

char buf[4096] __attribute__ ((aligned));

printf("opening library handle\n");

h = nfq_open();//创建 netfilter_queue

if (!h) {//创建失败

fprintf(stderr, "error during nfq_open()\n");

exit(1);

}

printf("unbinding existing nf_queue handler for AF_INET (if any)\n");//解绑已经存在的队列

if (nfq_unbind_pf(h, AF_INET) < 0) {

fprintf(stderr, "error during nfq_unbind_pf()\n");

exit(1);

}

printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");//绑定上我们创建的队列

if (nfq_bind_pf(h, AF_INET) < 0) {

fprintf(stderr, "error during nfq_bind_pf()\n");

exit(1);

}

printf("binding this socket to queue '0'\n");//cb是回调函数

qh = nfq_create_queue(h,  0, &cb, NULL);

if (!qh) {

fprintf(stderr, "error during nfq_create_queue()\n");

exit(1);

}

printf("setting copy_packet mode\n");

if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {//设置的包处理模式

fprintf(stderr, "can't set packet_copy mode\n");

exit(1);

}

fd = nfq_fd(h);

for (;;) {

if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {

//printf("pkt received\n");

nfq_handle_packet(h, buf, rv);

continue;

}

/* if your application is too slow to digest the packets that

 * are sent from kernel-space, the socket buffer that we use

 * to enqueue packets may fill up returning ENOBUFS. Depending

 * on your application, this error may be ignored. Please, see

 * the doxygen documentation of this library on how to improve

 * this situation.

 */

if (rv < 0 && errno == ENOBUFS) {

printf("losing packets!\n");

continue;

}

perror("recv failed");

break;

}

printf("unbinding from queue 0\n");

nfq_destroy_queue(qh);//摧毁队列，退出

#ifdef INSANE

/* normally, applications SHOULD NOT issue this command, since

 * it detaches other programs/sockets from AF_INET, too ! */

printf("unbinding from AF_INET\n");

nfq_unbind_pf(h, AF_INET);

#endif

printf("closing library handle\n");

nfq_close(h);

exit(0);

}

int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,

          struct nfq_data *nfa, void *data) {

//printf("entering callback\n");

struct nfqnl_msg_packet_hdr *ph;

int id = 0;

ph = nfq_get_msg_packet_hdr(nfa);

if (ph) {

    id = ntohl(ph->packet_id);

}

struct iphdr *ip_header;

unsigned char *data_buf;

int data_len = nfq_get_payload(nfa, &data_buf);

if (data_len > 0) {

    ip_header = (struct iphdr *)data_buf;

    //printf("Source IP: %s\n", inet_ntoa(*(struct in_addr *)&ip_header->saddr));

    //printf("Destination IP: %s\n", inet_ntoa(*(struct in_addr *)&ip_header->daddr));

// 构造新的缓冲区

    int new_buf_len = 14 + data_len;

    unsigned char *new_buf = (unsigned char *)malloc(new_buf_len);

    if (new_buf == NULL) {

        perror("malloc");

        return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);

    }

    // 将MAC头复制到新的缓冲区

    memcpy(new_buf, temp_mac_header, 14);

    // 将data_buf复制到新的缓冲区中紧随MAC头的位置

    memcpy(new_buf + 14, data_buf, data_len);

process_iptables_queue_packet_signle(new_buf_len,new_buf);

   free(new_buf);

}

    return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);

}

void process_iptables_queue_packet_signle(int datalen, unsigned char *data)

{

capture_file *cf = &cfile;

int create_proto_tree = 1; // 是否生成解析树

int print_detile = 1;      // 是否打印详细信息

epan_dissect_t *edt = epan_dissect_new(cf->epan, create_proto_tree, print_detile);

iptables_set_wth_rec_values(cf->provider.wth,datalen);

process_packet_single_pass(cf,edt,0,wtap_get_rec(cf->provider.wth),data,0);

if (edt) {

      epan_dissect_free(edt);

      edt = NULL;

    }

}