libpcap/main.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

#include <pcap.h>
#include <stdbool.h>

// 判断规则是否匹配数据包
bool isBPFRuleMatching(const char *bpfRule, const unsigned char *packet,
                       int packetLength) {
  pcap_t *pcap_handle;
  struct bpf_program fp;

  // 打开一个虚拟的 pcap 设备，可以根据实际需求修改参数
  pcap_handle = pcap_open_dead(DLT_EN10MB, 65535);

  // 编译 BPF 规则
  if (pcap_compile(pcap_handle, &fp, bpfRule, 0, PCAP_NETMASK_UNKNOWN) < 0) {
    pcap_close(pcap_handle);
    printf("Rule is illegal");
    return false; // 编译失败
  }

  // 执行匹配
  struct pcap_pkthdr header;
  header.caplen = 12;
  header.len = 12;

  if (pcap_offline_filter(&fp, &header, packet) != 0) {
    pcap_freecode(&fp);
    pcap_close(pcap_handle);
    return true; // 规则匹配
  }

  pcap_freecode(&fp);
  pcap_close(pcap_handle);
  return false; // 规则不匹配
}

int main() {
  /*31	Ether/IPv4/TCP
        192.168.11.169	202.157.180.190	TCP	78
        64161→1443[SYN] Seq = 2421401215 Win = 65535 Len = 0 MSS = 1460 WS = 16
        TSval = 1409022517 TSecr = 0 SACK_PERM = 1
*/

  static const unsigned char pkt_031[78] = {
      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xdc, 0x9b, /* ........ */
      0x9c, 0xb2, 0x90, 0x51, 0x08, 0x00, 0x45, 0x00, /* ...Q..E. */
      0x00, 0x40, 0x74, 0x13, 0x40, 0x00, 0x40, 0x06, /* .@t.@.@. */
      0x7a, 0xf7, 0xc0, 0xa8, 0x0b, 0xa9, 0xca, 0x9d, /* z....... */
      0xb4, 0xbe, 0xfa, 0xa1, 0x05, 0xa3, 0x90, 0x53, /* .......S */
      0xa6, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, /* ........ */
      0xff, 0xff, 0x66, 0x07, 0x00, 0x00, 0x02, 0x04, /* ..f..... */
      0x05, 0xb4, 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, /* ........ */
      0x08, 0x0a, 0x53, 0xfb, 0xfa, 0x35, 0x00, 0x00, /* ..S..5.. */
      0x00, 0x00, 0x04, 0x02, 0x00, 0x00              /* ...... */
  };

  // 示例 BPF 规则
  // const char *bpfRule = "src host 192.168.11.169";
  // const char *failBpfRule = "src host 192.168.11.111";

  unsigned char pkt_02[] = {
      0x2E, 0x48, 0xF7, 0x09, 0x02, 0xC2, 0x00, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x08, 0x00, 0x45, 0x00, 0x00, 0x1C, 0x00, 0x01, 0x00, 0x40,
      0x01, 0x88, 0x20, 0xAC, 0x13, 0xC7, 0xAB, 0x7F, 0x00, 0x00, 0x01,
      0x08, 0x00, 0xF7, 0xFF, 0x00, 0x00, 0x00, 0x00};
  const char *bpfRule = "ether host 2e:48:f7:09:02:c2";
  const char *failBpfRule = "ether host 2e:48:f7:09:02:c3";

  // 判断规则是否匹配数据包
  if (isBPFRuleMatching(bpfRule, pkt_02, sizeof(pkt_02))) {
    printf("YES\n");
  } else {
    printf("NO\n");
  }

  if (isBPFRuleMatching(failBpfRule, pkt_02, sizeof(pkt_02))) {
    printf("NO\n");
  }

  return 0;
}