Question

每次检测到数据包时都会运行此代码，但ARP IP地址与应该的数据不匹配，源IP地址甚至不是本地的。我已经添加了一个测试打印输出以尝试找到问题，并且当我运行ARP扫描（在192.168.1。*上）时，我得到这样的输出：

Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.42 (ff:ff:ff:ff:28:cf)
Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.43 (ff:ff:ff:ff:28:cf)
Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.44 (ff:ff:ff:ff:28:cf)
Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.45 (ff:ff:ff:ff:28:cf)
Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.46 (ff:ff:ff:ff:28:cf)

什么会导致这种类型的行为，其中目标IP（结构中的最后一个字段）被正确读取但其余的不是？

   const struct pkt_ethernet *ethernet = (struct pkt_ethernet*)(packet);

    char ether_src[48];
    char ether_dst[48];
    char ether_typ[8];
    int  ether_typ_dec;

    snprintf(ether_src, 48,  "%s", ether_ntoa(ethernet->ether_src));
    snprintf(ether_dst, 48,  "%s", ether_ntoa(ethernet->ether_dst));
    snprintf(ether_typ,  8,  "%d", ntohs(ethernet->ether_type));
    ether_typ_dec = ntohs(ethernet->ether_type);

    switch (ether_typ_dec)
    {
        case 2054: // ARP Packet
        {
            const struct pkt_arp *arp = (struct pkt_arp*)(packet + SIZE_ETHERNET);

            char arp_srcIP[INET_ADDRSTRLEN]; // ARP Source IP
            char arp_trgIP[INET_ADDRSTRLEN]; // ARP Target IP
            char arp_srcHW[48];
            char arp_trgHW[48];

            inet_ntop(AF_INET, &arp->srcIP, arp_srcIP, INET_ADDRSTRLEN);
            inet_ntop(AF_INET, &arp->trgIP, arp_trgIP, INET_ADDRSTRLEN);
            snprintf(arp_srcHW, 48,  "%s", ether_ntoa(arp->srcHw));
            snprintf(arp_trgHW, 48,  "%s", ether_ntoa(arp->trgHW));

            char test[300];
            snprintf(test, 300,  "[%d] Src IP: %s (%s) - Trg IP: %s (%s)", ether_typ_dec, arp_srcIP, arp_srcHW, arp_trgIP, arp_trgHW);

            capMessage(test);

            break;
        }
    }

ARP结构：

struct pkt_arp
{
    u_int16_t htype;                              /* Hardware Type           */
    u_int16_t ptype;                              /* Protocol Type           */
    u_char hlen;                                  /* Hardware Address Length */
    u_char plen;                                  /* Protocol Address Length */
    u_int16_t oper;                               /* Operation Code          */
    struct ether_addr srcHw[ETHER_ADDR_LEN];       /* Sender hardware address */
    struct  in_addr srcIP;                        /* Sender IP address       */
    struct ether_addr trgHW[ETHER_ADDR_LEN];      /* Target hardware address */
    struct  in_addr trgIP;                        /* Target IP address       */
} __attribute__ ((__packed__));

Answer 1

问题出现在结构中：

struct pkt_arp
{
    u_int16_t htype;                              
    u_int16_t ptype;                              
    u_char hlen;                                  
    u_char plen;                                  
    u_int16_t oper;                               
    struct ether_addr srcHw[ETHER_ADDR_LEN]; <---- HERE  
    struct  in_addr srcIP;                       
    struct ether_addr trgHW[ETHER_ADDR_LEN]; <---- and HERE      
    struct  in_addr trgIP;                       
} __attribute__ ((__packed__));

那应该是struct ether_addr srcHw;，并且在代码中应该引用ether_ntoa（＆amp; ethernet-＆gt; ether_dst），包括＆符号。

Libpcap ARP数据包结构未正确映射

1 个答案: