- 论坛徽章:
- 0
|
各位大佬,这两天被一个奇怪的问题困扰着,实在理不出头绪了,请各位救我。
我是在br_input.c的br_handle_frame里加了调用我的一个方法,将sk_buff传进来,然后我的代码如下:
if(skb->len > 1400){
//对超过1400字节的TCP包,一般不会是HTTP GET请求所以不做解析
return VC_RET_LENGTH_OVER_MAX;
}
eth = eth_hdr(skb); //获取ETH协议头
iph = ip_hdr(skb); //获取IP协议头
if(iph->protocol == IPPROTO_TCP){
ip_header_length = iph->ihl << 2; //IP协议头长度
tcph = (struct tcphdr *)((unsigned char *)iph + ip_header_length);//获取tcp头
ip_total_length = ntohs(iph->tot_len); //IP包总长度
tcp_header_length = tcph->doff << 2; //TCP协议头长度
tcp_body_length = ip_total_length - ip_header_length - tcp_header_length; //TCP包体长度
if(tcph->dest == htons(80) && tcp_body_length > 4){
//接收的包目标端口是80,并且TCP包长度大于4(4字节为GET )
if(((unsigned char *)&(iph->saddr))[2] == 0x0 && ((unsigned char *)&(iph->saddr))[3] == 0xad){
//IP的后2位是0.173就是测试机发的数据
printk("收到测试机发来的测试数据,iphl=%d, iptl=%d, tcphl=%d, tcpbl=%d\n",
ip_header_length, ip_total_length, tcp_header_length, tcp_body_length);
printHexBytes(skb->data, skb->len);
}
}
}
printHezBytes打印出来的日志为:
[ 1156.994390] 收到测试机发来的测试数据,iphl=20, iptl=52, tcphl=32, tcpbl=0
[ 1156.994400] 45 00 00 34 B1 3D 40 00 3E 06 58 6C 6E 4D 00 AD 3A D3 89 4D 0C BC 00 50 49 58 A0 15 00 00 00 00 80 02 FF FF 45 83 00 00 02 04 05 B4 01 03 03 01 01 01 04 02 01 01 05 0A 7E 94 EE CA 7E 96 28 4A 14 FE 62 35 1C 7F 10 4C 87 07 15 CA 7E 93 83 CA 0C 28 C2 C7 00 24 00 04 6E 00 1E FF 00 08 00 14 25 A4 BC 9A EC 0B 5E A3 5F 3D 0D AF D6 00 6C 8E F4 73 AE AE 80 28 00 04 FE ED 3F 1F FF FF FF FF FF FF D5 64 2B 6D A1 FB 3A C6 50 66 7B B0 EA 1C F0 10 F6 B3 C0 D4 EE 52 A8 04 3F B8 BC 4E 98 D8 15 F9 75 20 2A C1 BF 6C DD 3F 21 E6 4F 2A 36 06 59 85 B4 77 86 75 29 10 01 6F 91 4C 48 8D F3 82 F5 37 C4 3B CC 53 52 98 65 6E 23 B6 53 A3 E9 96 2F 10 74 D3 99 DB 12 56 58 5E 00 18 DB C0 30 00 01 00 90 00 FF 92 E5 00 00 00 42 00 04 7B 35 B6 E5 AC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 84 C0 0F 84 9B 05 00 C0 F6 BB 01 00 EA FF FF 36 08 00 00 E6 01 00 00 8B 7B 30 31 D2 B9 09 00 00 00 BE 67 66 57 01 49 89 C6 E8 C9 39 14 00 48 8
[ 1157.040665] 收到测试机发来的测试数据,iphl=20, iptl=40, tcphl=20, tcpbl=0
[ 1157.040673] 45 00 00 28 B1 41 40 00 3E 06 58 74 6E 4D 00 AD 3A D3 89 4D 0C BC 00 50 49 58 A0 16 41 58 EB 2A 50 10 80 00 D9 BB 00 00 00 00 00 00 00 00 03 01 01 01 04 02 01 01 05 0A 7E 94 EE CA 7E 96 28 4A 14 FE 62 35 1C 7F 10 4C 87 07 15 CA 7E 93 83 CA 0C 28 C2 C7 00 24 00 04 6E 00 1E FF 00 08 00 14 25 A4 BC 9A EC 0B 5E A3 5F 3D 0D AF D6 00 6C 8E F4 73 AE AE 80 28 00 04 FE ED 3F 1F FF FF FF FF FF FF D5 64 2B 6D A1 FB 3A C6 50 66 7B B0 EA 1C F0 10 F6 B3 C0 D4 EE 52 A8 04 3F B8 BC 4E 98 D8 15 F9 75 20 2A C1 BF 6C DD 3F 21 E6 4F 2A 36 06 59 85 B4 77 86 75 29 10 01 6F 91 4C 48 8D F3 82 F5 37 C4 3B CC 53 52 98 65 6E 23 B6 53 A3 E9 96 2F 10 74 D3 99 DB 12 56 58 5E 00 18 DB C0 30 00 01 00 90 00 FF 92 E5 00 00 00 42 00 04 7B 35 B6 E5 AC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 84 C0 0F 84 9B 05 00 C0 F6 BB 01 00 EA FF FF 36 08 00 00 E6 01 00 00 8B 7B 30 31 D2 B9 09 00 00 00 BE 67 66 57 01 49 89 C6 E8 C9 39 14 00 48 8
[ 1157.040682] 收到测试机发来的测试数据,iphl=20, iptl=526, tcphl=20, tcpbl=486
[ 1157.040718] 45 00 02 0E B1 42 40 00 3E 06 56 8D 6E 4D 00 AD 3A D3 89 4D 0C BC 00 50 49 58 A0 16 41 58 EB 2A 50 18 80 00 7D 47 00 00 47 45 00 00 00 00 00 00 00 00 61 6E 75 6F 79 69 06 61 6C 69 63 64 6E 03 63 6F 6D 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 CB 00 04 DB 93 34 FD 16 AC 95 A2 D7 5C C5 7C 5B 03 8C DC 59 C1 26 83 27 1D 27 9B 0F FF 78 C2 35 3B 8E D2 EE 27 22 78 6B 83 AF 63 39 54 3F 22 80 D4 76 C0 47 C0 5D 00 05 00 01 00 00 02 82 00 29 08 62 73 79 71 6E 63 64 6E 07 6D 69 61 6F 70 61 69 03 63 6F 6D 03 63 64 6E 0D 62 61 69 73 68 61 6E 2D 63 6C 6F 75 64 C0 1D C0 75 00 05 00 01 00 00 01 1C 00 09 03 63 64 6E 02 76 31 C0 8E C0 AA 00 01 00 01 00 00 00 14 00 04 01 C7 5D 72 C0 AA 00 01 00 01 00 00 00 14 00 04 01 C6 04 44 01 C1 BC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 69 6D A5 88 23 C0 D2 5B 80 0E 9E 01 00 EA FF FF 36 08 00 00 E6 01 00 00 7E 58 6A 34 CE 3C E4 26 1F ED CF E3 7F AC BD 67 0C 4B 14 D3 1F 3F 25 C0 2
[ 1157.354216] 收到测试机发来的测试数据,iphl=20, iptl=40, tcphl=20, tcpbl=0
[ 1157.354226] 45 00 00 28 B1 51 40 00 3E 06 58 64 6E 4D 00 AD 3A D3 89 4D 0C BC 00 50 49 58 A1 FC 41 58 EF 63 50 10 7D E3 D5 B9 00 00 00 00 00 00 00 00 00 00 00 00 61 6E 75 6F 79 69 06 61 6C 69 63 64 6E 03 63 6F 6D 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 CB 00 04 DB 93 34 FD 16 AC 95 A2 D7 5C C5 7C 5B 03 8C DC 59 C1 26 83 27 1D 27 9B 0F FF 78 C2 35 3B 8E D2 EE 27 22 78 6B 83 AF 63 39 54 3F 22 80 D4 76 C0 47 C0 5D 00 05 00 01 00 00 02 82 00 29 08 62 73 79 71 6E 63 64 6E 07 6D 69 61 6F 70 61 69 03 63 6F 6D 03 63 64 6E 0D 62 61 69 73 68 61 6E 2D 63 6C 6F 75 64 C0 1D C0 75 00 05 00 01 00 00 01 1C 00 09 03 63 64 6E 02 76 31 C0 8E C0 AA 00 01 00 01 00 00 00 14 00 04 01 C7 5D 72 C0 AA 00 01 00 01 00 00 00 14 00 04 01 C6 04 44 01 C1 BC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 69 6D A5 88 23 C0 D2 5B 80 0E 9E 01 00 EA FF FF 36 08 00 00 E6 01 00 00 7E 58 6A 34 CE 3C E4 26 1F ED CF E3 7F AC BD 67 0C 4B 14 D3 1F 3F 25 C0 2
第3个包是真正有数据的,将它的格式稍做整理后为:
IP包头: 45 00 02 0E B1 42 40 00 3E 06 56 8D 6E 4D 00 AD 3A D3 89 4D
TCP包头:0C BC 00 50 49 58 A0 16 41 58 EB 2A 50 18 80 00 7D 47 00 00
TCP包体:47 45 00 00 00 00 00 00 00 00 61 6E 75 6F 79 69 06 61 6C 69 63 64 6E 03 63 6F 6D 00 00 01 00 01 C0 0C 00 01 00 01 00 00 00 CB 00 04 DB 93 34 FD 16 AC 95 A2 D7 5C C5 7C 5B 03 8C DC 59 C1 26 83 27 1D 27 9B 0F FF 78 C2 35 3B 8E D2 EE 27 22 78 6B 83 AF 63 39 54 3F 22 80 D4 76 C0 47 C0 5D 00 05 00 01 00 00 02 82 00 29 08 62 73 79 71 6E 63 64 6E 07 6D 69 61 6F 70 61 69 03 63 6F 6D 03 63 64 6E 0D 62 61 69 73 68 61 6E 2D 63 6C 6F 75 64 C0 1D C0 75 00 05 00 01 00 00 01 1C 00 09 03 63 64 6E 02 76 31 C0 8E C0 AA 00 01 00 01 00 00 00 14 00 04 01 C7 5D 72 C0 AA 00 01 00 01 00 00 00 14 00 04 01 C6 04 44 01 C1 BC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 69 6D A5 88 23 C0 D2 5B 80 0E 9E 01 00 EA FF FF 36 08 00 00 E6 01 00 00 7E 58 6A 34 CE 3C E4 26 1F ED CF E3 7F AC BD 67 0C 4B 14 D3 1F 3F 25 C0 2
iphdr: 45 00 02 0E 86 A8 40 00 3E 06 81 27 6E 4D 00 AD 3A D3 89 4D
tcphdr: 0C 77 00 50 2C 61 40 17 05 7E 35 60 50 18 7D E3 EE 44 00 00
可以看到tcp包体刚开始的2个字节是正确的47 45即GE字符,但接下来的第3个字节就不对了,抓的其它几个包基本也是这样,前两个字节是对的,第三个字节开始就不对了。
这是我用tcpdump -i -n -vv -w保存下来后,用wireshark截图的数据,跟记录的日志中,IP包头、TCP包头一模一样,但TCP包体的第3字节开始就对不上了。这种有问题的包中在ETH与IP之间多了一个802.1Q vlan,而没有带vlan层的就正常,这是什么原因呢?好奇怪。
另外附带问一个初级问题:sk_buff中怎么获取到vlan层的信息?比如那个ID,好像sk_buff->data里直接从ip头开始的。
|
|