我在c中使用libpcap库来解析pcap文件。我正在尝试提取TCP客户端问候,然后检查服务器名称指示以匹配给定的服务器。我能这样做吗?如果有,有人可以告诉我怎么做?谢谢
答案 0 :(得分:1)
这是一个C ++代码段,可以使用PcapPlusPlus库来执行此操作。此代码假定您正在从pcap文件中读取数据包,但从实时接口读取时可以实现相同的目的:
// create a pcap file reader instance
pcpp::IFileReaderDevice* reader = pcpp::IFileReaderDevice::getReader("my_ssl_packets.pcap");
// open the reader for reading
reader->open();
// read the first (and only) packet from the file
pcpp::RawPacket rawPacket;
while (reader->getNextPacket(rawPacket) != NULL)
{
// parse the packet
pcpp::Packet sslParsedPacket(&rawPacket);
// check if this is a SSL packet
if (!sslParsedPacket.isPacketOfType(pcpp::SSL))
continue;
// check if this is a SSL handshake packet
pcpp::SSLHandshakeLayer* sslHandshakeLayer = sslPacket->getLayerOfType<pcpp::SSLHandshakeLayer>();
if (sslHandshakeLayer == NULL)
continue;
// check if this is a client-hello message
pcpp::SSLClientHelloMessage* clientHelloMessage = sslHandshakeLayer->getHandshakeMessageOfType<pcpp::SSLClientHelloMessage>();
if (clientHelloMessage == NULL)
continue;
// extract the Server Name Indication from the client-hello message
pcpp::SSLServerNameIndicationExtension* sniExtension = clientHelloMessage->getExtensionOfType<pcpp::SSLServerNameIndicationExtension>();
if (sniExtension != NULL)
printf("Server Name Indication is: %s\n", sniExtension->getHostName().c_str());
}
// close the file reader
reader->close();
delete reader;