前面的几篇文章我已经对Netfilter的大概的机制作了比较详细的介绍,这篇文章我就说一下如何分析网络数据包。我刚刚写了一个程序,程序的功能很简单,就是提取出网络数据包的源地址和改包所使用的网络协议,大家可以看看源代码:
#define __KERNEL__
#define MODULE
#include #include #include #include #include #include #include #include #include #include
static struct nf_hook_ops nfho;
unsigned int hook_func(unsigned int hooknum,
struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct sk_buff *sb = *skb;
unsigned char src_ip[4];
*(unsigned int *)src_ip = sb->nh.iph->saddr;
printk("A packet from:%d.%d.%d.%d Detected!",
src_ip[0],src_ip[1],src_ip[2],src_ip[3]);
switch(sb->nh.iph->protocol)
{
case IPPROTO_TCP:
printk("It's a TCP PACKET\n");break;
case IPPROTO_ICMP:
printk("It's a ICMP PACKET\n");break;
case IPPROTO_UDP:
printk("It's a UDP PACKET\n");break;
}
return NF_ACCEPT;
}
int init_module()
{
nfho.hook = hook_func;
nfho.hooknum = NF_IP_PRE_ROUTING;
nfho.pf = PF_INET;
nfho.priority = NF_IP_PRI_FIRST;
nf_register_hook(&nfho);
return 0;
}
void cleanup_module()
{
nf_unregister_hook(&nfho);
}
这实际上是对前面几篇文章的几个小程序的组合,实际上就是对sk_buff 结构体的的两个元素进行了检测,就得到了源地址和协议的信息。上面的这条语句对于那些C不是很熟悉的人可能吃力了一点:
*(unsigned int *)src_ip = sb->nh.iph->saddr;
我稍微的解释一下,网络的源地址是4个子节的int,因此我定义了一个4个子节的数组src_ip,从而每一个子节里面就存储的点分十进制的一个数,为了一次完成赋值,我把src_ip 转成unsigned int指针,就可以一次4个字节一起访问了。
下面是这个程序的测试结果:
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.8 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.246 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.8 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.246 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.246 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.254 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.230 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:192.168.1.1 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a ICMP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.214 Detected!It's a UDP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a ICMP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a ICMP PACKET
A packet from:210.43.106.96 Detected!It's a UDP PACKET
A packet from:210.43.106.210 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.106.112 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
A packet from:210.43.107.136 Detected!It's a UDP PACKET
A packet from:210.43.107.130 Detected!It's a TCP PACKET
如果需要对包的端口进行分析的话,就要对IP报文的数据段(sb->data)进行分析了(TCP和UDP等包都是作为IP的数据而存在的),大家可以参考一下相应的资料。
集成算法—随机森林模型)
)
)
