arp/ip /icmp 网络抓取包工具的使用

1:

network adapter工具过滤条件的写法: arp.src.proto_ipv4 == 192.168.0.34 || arp.dst.proto_ipv4 == 192.168.0.34 || ip.dst == 192.168.0.34 || ip.src == 192.168.0.34

2

报

   1:读取cp2200中德RXVALID (CPINFOH.7) and RXOK (CPINFOL.7)检测是否有个数据帧被接收,有则从

 以太网层 :偏移量(inbuf + 0)
 typedef struct
 {
   UCHAR dest_hwaddr[6];
   UCHAR source_hwaddr[6];
   UINT  frame_type;
 } ETH_HEADER
  第一个参数要发送的数据缓冲, hwaddr目标mac地址,ARP_PACKET下层协议,发送的数据长度,
  eth_send(outbuf, hwaddr, ARP_PACKET, 28);
------------------------------------------------------------------------------------------ 
  arp协议,偏移量:(inbuf + 14);
  //hwaddr目标mac,  ipaddr目标ip,
  void arp_send(UCHAR * hwaddr, ULONG ipaddr, UCHAR msg_type)

 typedef struct
 {
   UINT  hardware_type;
    UINT  protocol_type; //arp协议的下一层类型  ,这里发送arp和接收处理时都是ip协议即:0800       
    UCHAR hwaddr_len;
    UCHAR ipaddr_len;              
    UINT  message_type;//arp消息类型如ARP_RESPONSE,ARP_REQUEST,RARP_REQUEST,RARP_RESPONSE.
    UCHAR source_hwaddr[6];             
    ULONG source_ipaddr;
    UCHAR dest_hwaddr[6];   
    ULONG dest_ipaddr;
 } ARP_HEADER;
 arp接收处理:利用上面结构体更新arp_cache,如果source_ipaddr在cache存在则更新source_hwaddr,
 如果source_ipaddr在arp_cache中不存在,则直接添加到arp_cache中,
 如果arp_cache已经满了,覆盖最老的一条记录, 注意:每过1分钟arp_cahe的timer成员自减1,
 如果arp->message_type == ARP_REQUEST那么主机应该发送arp报文给source_ipaddr
 如果if (arp->message_type == ARP_RESPONSE)并且主机在等待这个ip的arp报文,那么取出上次因目标ip的
mac没有而暂停的ip报文,发送这个ip报文, 
 在ip报文发送的过程中会,如果要发送的ip和主机ip不同同一个网段,这把报文发给网关,
然后arp_cache检测是否有目标ip,如果没有发送一个arp请求报文,目标ip为广播地址,
  当我的pc上ping开发板时候, pc会发送一个arp请求的给这个网段各个主机, 当开发板收到这个arp包的时候,就会回复一条arp包,arp包的目的ip为我的pc的ip,
注意,发送arp包的时候,任何主机都会收到,当pc机,ping某一个ip不通的时候 他就会发送arp包给网关,
 
 
 网络层,ip协议,inbuf + 14,
typedef struct
{
   UCHAR ver_len;一般为0x45, 4代表ip版本4,5代表结构体长度,就是IP_HEADER的长度,为20字节,这里只支持20字节的
   UCHAR type_of_service;//这个没用到
   UINT  total_length;//就是除去以太网层长度的包的长度.这里如果icmp协议,那么ip层20字节,icmp层40字节
   UINT  identifier;
   UINT  fragment_info; //代表是否分页,开发板不支持这个,如果分页那么不处理: ((ip->fragment_info & 0x3FFF) != 0)
   UCHAR time_to_live;
   UCHAR protocol_id;就是代表下一层是什么协议如: ICMP_TYPE 1, IGMP_TYPE 2,TCP_TYPE 6 ,UDP_TYPE  17
   UINT  header_cksum;//ip层效验和,
   ULONG source_ipaddr;
   ULONG dest_ipaddr;
} IP_HEADER;
// outbuf为要发送的ip包,, ipaddr为要发送ip目的地, proto_id为这个ip包所包含的下一层协议,len为发的数据长度.    
void ip_send(UCHAR xdata * outbuf, ULONG ipaddr, UCHAR proto_id, UINT len)
------------------------------------------------------------------------------------------
 icmp,inbuf + 34:
typedef struct
{
   UCHAR msg_type;//icmp消息类型,如果为8意味着,是ping消息,其他的没有处理
//,开发板要发送一个同样的icmp消息给对方,发送时这里为0
   UCHAR msg_code;//这个为0,
   UINT  checksum;整个结构体的效验和,计算完后要取反
   UINT  identifier;//消息标示发送时候必须和接收到的icmp消息一致,
   UINT  sequence;//同上
   UCHAR echo_data;这里尽管只有1个字节,大师这里实际上有32字节数据,只是利用这个元素得到实际数据的偏移.
} PING_HEADER;
 当收到一个icmp的数据后按上面的方式 组装PING_HEADER,但是PING_HEADER的实际长度可以超过sizeof(PING_HEADER)
把组装的数据放在outbuf[1500]中,然后发送一个ip数据包,要发送的数据就是outbuf,ip->protocol_id为ICMP_TYPE,发送的目标
ip为收到的包中的source_ip,如果在发送的过程中,该ip在arp_cahe中不存在,把要发送的数据报错早缓冲中,然后发送arp协议包.

 tcp/udp层, (TCP_HEADER xdata *)(inbuf + 34)
typedef struct
{
   UINT  source_port;
   UINT  dest_port;
   ULONG sequence;
   ULONG ack_number;
   UINT  flags;
   UINT  window;
   UINT  checksum;
   UINT  urgent_ptr;
 UCHAR options;
} TCP_HEADER;
      tcp_send(FLG_RST, 20, NO_CONNECTION);
------------------------------------------------------------------------------------------
 应用会话层http:

附录:
 event_word |= EVENT_AGE_ARP_CACHE;//This happens every 60.025 seconds,无效arp缓冲
 if (count1 == 5) event_word |= EVENT_ARP_RETRANSMIT//重新发送ARP 数据包
 
 if (count1 == 10) event_word |= EVENT_TCP_INACTIVITY;//用于确认是否tcp链接是否超时.
 
 if (count1 == 15) event_word |= EVENT_READ_ANALOG  //;See if it is time to read the analog inputs
 
 if (count1 == 20)
 {
   count1 = 0;
   event_word |= EVENT_TCP_RETRANSMIT;

void query_8019(void)
{  
char bnry,curr;
 page(0);
    bnry=reg03;  //bnry page have read 读页指针
 page(1);
 curr=reg07;  //curr writepoint 8019写页指针
 page(0);
 if ((curr==0)) return;
 bnry=bnry++;
 if (bnry>0x7f) bnry=0x4c;
 if (bnry!=curr) //此时表示有新的数据包在缓冲区里
 {
     event_word |= EVENT_ETH_ARRIVED;
     EA = 1;
 }
  reg0b=0x00; reg0a=0x00;  reg00=0x22;//complete dma page 0
}

2012年3月29日 09:31:49:
 关于arp攻击,只要发一条arp广播,source_ip为网关的,mac不是原来的,那么就会导致局域网不能连接外网,有效时间1分钟
  要攻击特定的机器, 可以发送发送一条广播arp帧,source_ip为要攻击的机器,source_hwaddr为另外一个局域网机器的,这样造成2个机器的
mac地址冲突.
   实验结果:如果发送arp查询命令.命令的source_ip为网关,结果公司大多数机器不能上网,,如果该局域网有2个网关的话, 他还可以
上网.

3附录:

ping本地过程
"250236","11371.633273","EntradaN_09:90:e4","Broadcast","ARP","Who has 192.168.0.250?  Tell 192.168.0.34"
"250237","11371.750277","CygnalIn_24:b0:27","EntradaN_09:90:e4","ARP","192.168.0.250 is at 00:0b:3c:24:b0:27"
"250238","11371.750296","192.168.0.34","192.168.0.250","ICMP","Echo (ping) request"
"250239","11371.868547","192.168.0.250","192.168.0.34","ICMP","Echo (ping) reply"
"250240","11372.629126","192.168.0.34","192.168.0.250","ICMP","Echo (ping) request"
"250241","11372.747447","192.168.0.250","192.168.0.34","ICMP","Echo (ping) reply"
"250242","11373.629137","192.168.0.34","192.168.0.250","ICMP","Echo (ping) request"

"250243","11373.747464","192.168.0.250","192.168.0.34","ICMP","Echo (ping) reply"

"250245","11374.629162","192.168.0.34","192.168.0.250","ICMP","Echo (ping) request"

"250246","11374.747399","192.168.0.250","192.168.0.34","ICMP","Echo (ping) reply"

ping百度过程
"250562","13309.474515","EntradaN_09:90:e4","Broadcast","ARP","Who has 192.168.0.250?  Tell 192.168.0.34"
"250563","13309.474741","Intel-Hf_00:12:46","EntradaN_09:90:e4","ARP","192.168.0.250 is at 00:a0:c9:00:12:46"
"250564","13309.474761","192.168.0.34","211.162.78.2","DNS","Standard query A baidu.com"
"250565","13309.479607","211.162.78.2","192.168.0.34","DNS","Standard query response A 220.181.111.85 A 220.181.111.86 A 123.125.114.144"
"250566","13309.486662","192.168.0.34","220.181.111.85","ICMP","Echo (ping) request"
"250568","13309.524370","220.181.111.85","192.168.0.34","ICMP","Echo (ping) reply"
3次icmp过程