日期:2014-05-16  浏览次数:20923 次

pcap_loop的pcap_handler的第三个参数是什么意思?
用户手册里面写着,可是本人英语不太好,最后一句看不懂


  typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h,
  const u_char *bytes);

  int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user);

  callback specifies a pcap_handler routine to be called with three argu-
  ments: a u_char pointer which is passed in the user argument to
  pcap_loop() or pcap_dispatch(), a const struct pcap_pkthdr pointer
  pointing to the packet time stamp and lengths, and a const u_char
  pointer to the first caplen (as given in the struct pcap_pkthdr a
  pointer to which is passed to the callback routine) bytes of data from
  the packet.


a const u_char pointer to the first caplen (as given in the struct pcap_pkthdr a pointer to which is passed to the callback routine) bytes of data from the packet.
请问一下是什么意思?

就是pcap_handler的const u_char *bytes是什么干什么用的?我google了也找不到。。。

万分感谢。

------解决方案--------------------
建议多读官方文档:

ts
a struct timeval containing the time when the packet was captured
caplen
a bpf_u_int32 giving the number of bytes of the packet that are available from the capture
len
a bpf_u_int32 giving the length of the packet, in bytes (which might be more than the number of bytes available from the capture, if the length of the packet is larger than the maximum number of bytes to capture)

这是pcap_pkthdr的成员,原理很简单:

回调被调用时,一定是一个完整的包被捕获了,pcap就是这么强大,所有类型它都能识别并完成的捕获。

caplen是capture length的意思,是被捕获的长度。 和len的区别就是pcap支持限制捕获包的长度,超长部分将会被截断,这个len就是包原本的长度,caplen就是被截断的长度。 

你不特殊设置,包是不会被截断的,多长都会被容纳,所以caplen和len是相同的,都是指bytes的字节数。

bytes就是从链路层开始的一个完整的包,无论是什么协议,这需要你自己去解析bytes了,就是先解链路层,偏移后再解IP/ARP等等层,慢慢到TCP/UDP等。 在未限制包长情况下,bytes一定是完整的一个包,如果限制了那么注意不要超过bytes的caplen长度,否则会非法操作内存。