Winpcap的体系结构与性能研究

深度剖析WinPcap之(序言)——分析WinPcap源代码的缘由过去我一直在开发软件，包括Windows操作系统的应用软件，Linux操作系统的应用软件与驱动程序，也开发过一些嵌入式软件，并在后来的工作中逐渐专注于对软件的测试工作，主要从事软件测试技术与测试方法、软件工程的研究。

在此过程中与其他开发人员、测试人员一同工作，帮助他们构建达到工业级标准的软件，或者指导他们提高软件开发或测试的技术水平。

随着不断的遇见问题、解决问题，我也在思考一个问题：那就是软件开发人员与软件测试人员除了对应用程序需要清晰的理解之外，是否还需要对支撑应用软件运行的操作系统，共享库等有深入的了解？下面通过我亲身经历的两个案例来考虑该问题：案例1：嗅探软件掉包问题某自行开发的网络数据包嗅探软件，在对被测试设备进行数据包分析时，发现有掉包现象，但待测设备运行正常。

经过仔细分析，发现该嗅探软件设计有如下问题：针对高速网络流量，从软件架构上就没考虑到如何防止掉包的问题。

软件开发人员对该嗅探软件进行各种优化，比如增加缓冲区的大小，降低显示的复杂度、分析代码性能瓶颈，但都改善不大。

通过对所调用WinPcap库的仔细分析，获得下列解决方案：让WinPcap的内核驱动程序NPF实现协议过滤，而不是通过嗅探软件进行过滤，同时就在内核实现数据包的存储，而不导入应用层后进行存储。

该案例提醒我们，在测试人员开发测试工具时，需要对所用的支撑软件有深入的了解，才能更好的解决所遇到的实际问题。

内核层的过滤与转储功能是WinPcap的NPF驱动程序提供的优化功能，就是解决高速网络流量掉包问题的。

案例2：AD数据采集系统掉点问题某AD数据采集系统，基于嵌入式Linux系统实现，对所采集的数据进行分析，出现掉点现象。

经过仔细调试发现采样率还不到所要求一半时就开始出现掉点现象，采样率越高掉点现象越严重。

项目组相关人员对Linux驱动程序的机制了解不够深入，应用层软件开发人员对软件进行各种调优，收效甚微，曾一度怀疑是文件系统存储速度慢或硬件问题导致，项目陷入困境。

深度剖析WinPcap之WinPcap简介WinPcap是Windows平台下访问网络数据链路层的开源库，该库已达到工业标准的应用要求。

WinPcap允许应用程序绕开网络协议栈来捕获与传递网络数据包，并具有额外的有用特性，包括内核层的数据包过滤、一个网络统计引擎与支持远程数据包捕获。

1.1. 什么是WinPcap大多数网络应用程序通过被广泛使用的操作系统原语来访问网络，诸如sockets。

操作系统已经处理了底层的细节问题（如协议处理，数据包的封装等），并提供与读写文件类似的、熟悉的接口，这使得用该方法可以很容易的访问网络中的数据。

然而有些时候，这种“简单的方式”并不能满足任务要求，因为有些应用程序需要直接访问网络中的数据包。

也就是说，应用程序需要访问网络中的“原始”数据包，即没有被操作系统使用网络协议进行处理过的数据包。

WinPcap的目的就是为Win32应用程序提供这种访问方式。

WinPcap提供下列功能：•捕获原始数据包，无论是发送到运行WinPcap机器上的数据包，还是在其它主机（共享介质）上进行交换的数据包•在数据包分派给应用程序前，根据用户指定的规则过滤数据包•将原始数据包发送到网络•收集网络流量的统计信息1.2. WinPcap的优点自由 WinPcap遵循BSD open source licence发布。

这意味着你的应用程序拥有全部自由来修改与使用它，即使应用程序是商业化的。

高性能WinPcap实现了有关数据包捕获文献中描述的所有典型的优化方法（比如内核级的过滤与缓冲，减少上下文交换，数据包部分内容复制），加上一些原创的优化方法，如JIT过滤器编辑（JIT filter compilation）与内核级的统计过程。

因为这些原因，WinPcap胜过其它可比的方法。

普及WinPcap被许多工具作为网络接口使用——无论是自由软件还是商业软件。

包括网络协议分析器、网络监视器、网络入侵检测系统、网络嗅探器、网络流量生成器、网络测试器等等。

WinPcap 的体系架构深度剖析WinPcap 之(四)——WinPcap 的体系架构(1) 2009-08-31 20:02:37 标签：架构WinPcapWinPcap 是Win32 平台下用于数据包捕获与网络分析的一个架构。

它包含一个内核层数据包过滤器，一个底层动态链接库( packet.dll )，与一个高层并独立于系统的库 (wpcap.dll )1.1 WinPcap 的主要组成WinPcap 的各个主要组成部分如图2-1 所示。

图2-1 WinPcap 的主要组成首先，为了访问网络上传输的原始数据，一个捕获系统需要绕过操作系统的协议栈。

这需要一部分程序运行于操作系统的内核中，来与网络接口驱动直接交互。

该部分与操作系统密切相关，WinPcap 的解决方案是实现一个叫做Netgroup Packet Filter (NPF )的设备驱动程序，并对Windows 95 、Windows 98 、Windows ME 、Windows NT 4 、Windows 2000 与Windows XP 等不同操作系统提供不同版本的驱动程序。

这些驱动程序提供了数据包捕获与发送的基本特性，同时也提供诸如一个可编程的过滤系统与一个监控引擎之类的更高级特性。

第一个特性可用于限制一个捕获会话，只捕获特定的网络数据包（比如，可以只捕获一个特定主机生成的ftp 数据包）。

第二个特性提供了一个强大但简单的方式，来获取网络流量的统计信息（比如，可以获取网络负载或两个主机间所交换数据的数量）。

其次，捕获系统必须导出一个接口，使得用户层应用程序可使用内核驱动所提供的特性。

WinPcap 提供两个不同的库：packet.dll 与wpcap.dll 。

第一个库提供一个底层的API ，可用来直接访问驱动程序的函数，提供一个独立于微软的不同操作系统的编程接口。

第二个库导出了更强大的、更高层的捕获函数接口，并提供与UNIX 捕获库libpcap 的兼容性。

winpcap(windows packet capture)是windows平台下一个免费，公共的网络访问系统。

开发winpcap这个项目的目的在于为win32应用程序提供访问网络底层的能力。

目录winpcap 驱动各项功能Winpcap的内部结构Winpcap程序实例winpcap卸载不干净的解决方法编辑本段winpcap 驱动各项功能1> 捕获原始数据包，包括在共享网络上各主机发送/接收的以及相互之间交换的数据winpcap结构包；2> 在数据包发往应用程序之前，按照自定义的规则将某些特殊的数据包过滤掉；3> 在网络上发送原始的数据包；4> 收集网络通信过程中的统计信息。

winpcap的主要功能在于独立于主机协议（如TCP-IP)而发送和接收原始数据包。

也就是说，winpcap不能阻塞，过滤或控制其他应用程序数据包的发收，它仅仅只是监听共享网络上传送的数据包。

因此，它不能用于QoS调度程序或个人防火墙。

目前，winpcap开发的主要对象是windows NT/2000/XP，这主要是因为在使用winpcap的用户中只有一小部分是仅使用windows 95/98/Me，并且MS也已经放弃了对win9x的开发。

因此本文相关的程序T-ARP也是面向NT/2000/XP用户的。

其实winpcap中的面向9x系统的概念和NT系统的非常相似，只是在某些实现上有点差异，比如说9x只支持ANSI编码，而NT系统则提倡使用Unicode编码。

有个软件叫sniffer pro.可以作网管软件用，有很多功能，可监视网络运行情况，每台网内机器的数据流量,实时反映每台机器所访问IP以及它们之间的数据流通情况，可以抓包，可对过滤器进行设置,以便只抓取想要的包，比如POP3包,smtp包，ftp包等，并可从中找到邮箱用户名和密码,还有ftp用户名和密码。

它还可以在使用交换机的网络上监听，不过要在交换机上装它的一个软件。

实验6 利用WinPcap技术捕获数据包实验目的：通过掌握WinPcap函数库的结构和功能，实现在windows环境下对网卡进行编程，进行网络数据包的捕获。

实验准备：（1）winpcap简介WinPcap 是由伯克利分组捕获库派生而来的分组捕获库，它是在Windows 操作平台上来实现对底层包的截取过滤。

WinPcap 为用户级的数据包提供了Windows 下的一个平台。

WinPcap 是 BPF 模型和 Libpcap 函数库在Windows 平台下网络数据包捕获和网络状态分析的一种体系结构，这个体系结构是由一个核心的包过滤驱动程序，一个底层的动态连接库 Packet.dll 和一个高层的独立于系统的函数库 Libpcap 组成。

底层的包捕获驱动程序实际为一个协议网络驱动程序，通过对 NDIS 中函数的调用为 Win95、Win98、WinNT、和 Win2000 提供一类似于 UNIX 系统下 Berkeley Packet Filter 的捕获和发送原始数据包的能力。

Packet.dll 是对这个 BPF 驱动程序进行访问的 API 接口，同时它有一套符合 Libpcap 接口（UNIX 下的捕获函数库）的函数库。

WinPcap的结构图如图1。

WinPcap 包括三个部分：第一个模块NPF(Netgroup Packet Filter)，是一个虚拟设备驱动程序文件。

它的功能是过滤数据包，并把这些数据包原封不动地传给用户态模块，这个过程中包括了一些操作系统特有的代码。

第二个模块packet.dll为win32平台提供了一个公共的接口。

不同版本的Windows系统都有自己的内核模块和用户层模块。

Packet.dll用于解决这些不同。

调用Packet.dll的程序可以运行在不同版本的Windows平台上，而无需重新编译。

第三个模块 Wpcap.dll是不依赖于操作系统的。

它提供了更加高层、抽象的函数。

基于WinPcap的网络分析研究与实现摘要近几年，我国经济发展迅速，各个领域的事业都趋于完善。

在网络信息技术的不断发展下，通过对WinPcap的应用，真正实现了Windows下网络数据包的捕获技术，下文将详细阐述IP、Tcp等等协议的解析过程。

网络数据的储存通过msspl来实现，进而建立系统硬件运行环境。

对局域网，通过测试实现了全局监控。

关键词信息技术；网络分析；分析与研究；运行环境；数据包；源代码1 应用环境网络监控系统承载介质中，硬件与软件监控系统共同构成网络监控。

网络监控系统标准功能是对局域网中的违规行为进行记录与监控。

在国外一些发达国家，有两款软件Ethereal与Sniffer，后者主要任务就是给网管及时提供网络监视情况与数据包捕以及故障分析等内容，这样能方便网管对现场进行迅速的故障处理以及诊断能力。

与此同时，还能使用户得到更好的网络管理以及故障分析功能。

前者作为一种可以捕获数据包，并且将这个数据包的信息显示出来，这样的一款网络数据包分析软件，在通用许可证的保障范围内，其数据包分析软件用户能免费得到。

除此之外，还可以得到其源代码，并且也能够根据自身的需要来将其源代码进行修改。

现阶段，Wireshark是全球应用最多的一种网络数据包分析软件[1]。

2 Win Pcap研究抓包的过程，是通过用户级的程序接口来完成的。

在这些接口中，用户程序能够利用内核驱动提供的高级特性。

作为WinPcap所提供的2个库，PACKET 提供一个底层api，应用这个库能够访问驱动的函数。

这些函数能够实现来抓包时，网络硬件与操作系统独立。

NDIS作为一种管理网络适配器的驱动程序和协议驱动之间的规范。

其还是一个可以让协议驱动发生与接收数据包并且不用看特定的适配器或者特定的Win32操作系统的封装。

捕获数据包是通过NPF来实现的。

在进行数据包的捕获时，数据包的监控任务是一个网络接口，进而应用程序才能够完整抹除这部分数据包。

实验一 wireshark抓包工具使用[实验目的]学习wireshark抓包工具的使用了解wireshark抓包工具的功能通过学习，进一步理解协议及网络体系结构思想[实验原理]Wireshark是网络包分析工具。

网络包分析工具的主要作用是尝试捕获网络包，并尝试显示包的尽可能详细的情况。

主要应用：网络管理员用来解决网络问题网络安全工程师用来检测安全隐患开发人员用来测试协议执行情况用来学习网络协议[实验内容]下载WIRESHARK，学习工具的使用和功能。

[习题与思考题]1、网络工程师能通过WIRESHARK做哪些工作？2书名实验二 WINPCWP编程[实验目的]了解WINPCAP的架构学习WINPCAP编程[实验原理]WinPcap是一个基于Win32平台的，用于捕获网络数据包并进行分析的开源库.大多数网络应用程序通过被广泛使用的操作系统元件来访问网络，比如sockets。

这是一种简单的实现方式，因为操作系统已经妥善处理了底层具体实现细节（比如协议处理，封装数据包等等），并且提供了一个与读写文件类似的，令人熟悉的接口。

然而，有些时候，这种“简单的方式”并不能满足任务的需求，因为有些应用程序需要直接访问网络中的数据包。

也就是说，那些应用程序需要访问原始数据包，即没有被操作系统利用网络协议处理过的数据包。

WinPcap产生的目的，就是为Win32应用程序提供这种访问方式；WinPcap提供了以下功能1.捕获原始数据包，无论它是发往某台机器的，还是在其他设备（共享媒介）上进行交换的2.在数据包发送给某应用程序前，根据用户指定的规则过滤数据包3.将原始数据包通过网络发送出去4.收集并统计网络流量信息章名 3以上这些功能需要借助安装在Win32内核中的网络设备驱动程序才能实现，再加上几个动态链接库DLL。

所有这些功能都能通过一个强大的编程接口来表现出来,易于开发，并能在不同的操作系统上使用。

这本手册的主要目标是在一些程序范例的帮助下，叙述这些编程接口的使用。

WinPcap：⽹络监控的基⽯稳定版本:WinPcap 4.0.2最近版本:WinPcap 4.1 beta5WinPcap是Windows环境访问链路层的⼯业标准级别的⼯具。

允许应⽤程序绕过协议栈抓取和传输⽹络包，且有以下有⽤特性，包括内核级包过滤，⽹络统计引擎并⽀持远程抓包。

WinPcap包括⼀个继承操作系统以提供底层⽹络访问的驱动，和⼀个⽤来轻松访问底层⽹络的库。

该库也包含Unix下的API libpcap。

由于众多特性，WinPcap成为许多开源或商业⽹络⼯具的抓包和过滤引擎，包括协议分析，⽹络监控，⽹络⼊侵检测系统，嗅探器，流量⽣成器和⽹络测试器。

其中⼀些⼯具，像Wireshar，Nmap,Snort,ntop在⽹络社区被⼴泛使⽤。

WinPcap同时也是WinDump诞⽣之地，WinPcap是windows版本的流⾏tcpdump,能被⽤来按照各种各样复杂的规则监视，分析⽹络流量并存盘。

看看基于WinPcap开发出的众多知名产品:Ethereal,Windump等等，当然还包括国内有名(⾮常有⽤但被⼈滥⽤⼜⼗分讨厌)的⽹络剪⼑⼿，P2P终结者，⽹络执法官等等.还包括基于它开发的不同语⾔的库，如JPcap(⽤于Java)，pypcap(⽤于Python)，sharpcap(.NET)0x4553-IntercepterThis program offers the following features: - Sniffing passwords\hashes of the types:ICQ\IRC\AIM\FTP\IMAP\POP3\SMTP\LDAP\BNC\SOCKS\HTTP\WWW\NNTP\CVS\TELNET\MRA\DC++\VNC\MYSQL\ORACLE -Sniffing chat messages of ICQ\AIM\JABBER\YAHOO\MSN\GADU-GADU\IRC\MRA - Changing MAC address of LAN adapters - Raw mode (with filtering rules) - Capturing packets and post-capture (offline) analyzing - Remote traffic capturing via RPCAP daemon -Reconstruction of SMTP\POP3 messagesAerosolWardriving utility for Windows.AirSnareAirSnare is an intrusion detection system to help you monitor your wireless network.AnalyzerAnalyzer is a fully configurable Network Analyzer for Win32. It includes several functionalities that are needed by network management operator. Analyzer is based on WinPcap and it is able to capture packets on most Win32 platforms (and link-layer technologies). Analyzer 3.0 comes out with some event logging, LAN monitoring and traffic monitoring capabilities. However,Analyzer 3.0 most valuable point is the ability to parse network packets according to the protocol description contained into some external files, which can be modified at run-time by the user.AnetTestAnetTest is a integrated packet generator and sniffer for Ethernet, but also works with blocks of data over TCP connection.Enables you to use scripts for automated testing, monitoring, imitating of various network objects, creating custom network tools.ArchaeopteryxArchaeopteryx is a Passive mode OS Identification Tool. It is based off Siphon v.666 by SubTerrain. It has a GUI and a highly configurable OS signature file.ARP0cARP0c is an ARP redirector and bridging engine. ARP requests from various sources in a switched environment get false ARP response which point to the host running ARP0c. Packets from these hosts are bridged to the realdestination address to allow normal network operation and keep TCP connections alive.Asn1BrowserThe Asn1Browser analyzer decodes ASN1 binary data and provides an advanced display for the user.assnifferassniffer can monitor a network, and for every HTTP transfer it sees, save a copy of the transferred data.AutoScan-Network AutoScan-Network is a network discovering and managing application.BillSniffBillSniff is a free (freeware) sniffer under MS Windows.CAS BACnet ExplorerAutomatically discover all the BACnet® IP, BACnet® Ethernet and BACnet® MSTP devices, objects, and their properties on your network. The objects and devices are arranged in an easy to use tree format with braches for each network, object, and device.Bit-TwistBit-Twist is a simple yet powerful WinPcap-based Ethernet packet generator. It is designed to compliment WinDump, which by itself has done a great job in capturing network traffic. With Bit-Twist, you can now regenerate the captured traffic onto a live network! Packets are generated from windump trace file (.pcap file). Bit-Twist also comes with a comprehensive trace file editor to allow you to change the contents of a trace file.BochsBochs is a highly portable open source IA-32 (x86) PC emulator written in C++, that runs on most popular platforms.It includes emulation of the Intel x86 CPU, common I/O devices, and a custom BIOS.Busted!Busted! records AOL instant message conversations, web sites visited, applications used, keystrokes and takes periodic screen shots.CableMonCable traffic monitoring tool.Cain & AbelCain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.CarnivorePECarnivore is a surveillance tool for data networks. At the heart of the project is CarnivorePE, a software application that listens to all Internet traffic (email, web surfing, etc.) on a specific local network. Next, CarnivorePE serves this data stream tointerfaces called "clients." These clients are designed to animate, diagnose, or interpret the network traffic in various ways.cdpr - Cisco Discovery Protocol Reportercdpr is used to decode a Cisco Disovery Protocol (CDP) packet, by default it will report the device ID, the IP Address (of the device), and the port number that the machine is connected to. Optionally it will decode the entire CDP packet.choozmailparental control software.CHScannerCHScanner allows you to scan in "style" from Windows XP SP2 and higher OS. It is IPv4 and IPv6 enabled, it has a skinnable interface and it has the ability to mimic various operating systems. Last but not least, it has many scanning methods.coLinuxCooperative Linux is the first working free and open source method for optimally running Linux on Microsoft Windowsnatively. More generally, Cooperative Linux (short-named coLinux) is a port of the Linux kernel that allows it to run cooperatively alongside another operating system on a single machine. For instance, it allows one to freely run Linux on Windows 2000/XP, without using a commercial PC virtualization software such as VMware, in a way which is much more optimal than using any generalpurpose PC virtualization software.CORE IMPACTAutomated, comprehensive penetration testing product for assessing specific information security threats to an organization.dasniffdaSniff is an open source customizable sniffer for win32 systems. It helps you to log your LAN traffic by specifyingpacket rules as filters.Deep Network Analyzer (DNA)DNA is an open, flexible and extensible deep network analyzer (software server) and architecture for gathering and analyzing network packets, network sessions and applications protocols, passively off enterprise class networks. DNA is designed to be used for Internet Security, Intrusion detection, Network Management, Protocol and Network Analysis, Information Gathering, Network Monitoring applications.dsniffdsniff is a collection of utilities to aid in sniffing network data.E.L.AE.L.A. identifies and counts the network traffic by any application. In addition the traffic is separated between local network(s) and Internet (external networks).EffeTech HTTP SnifferEffeTech HTTP Sniffer is a HTTP protocol network sniffer, packet analyzer and file rebuilder based on Windows platform. Unlike most other sniffers, it is dedicated to capture IP packets containing HTTP protocol and to rebuild the HTTP communications and files sent through HTTP protocol.Engage Packet BuilderScriptable libnet-based packet builder for Windows platform.EthergrouikEthergrouik is a Windows open source project (C + GTK) whose main goal is to represent graphically connections by protocols on your network.EtherSnoopEtherSnoop is a basic network sniffer, that can capture all packets going through the network. It lists the captured data in real-time, using an easy-to-understand interface with a hex and text display of the packet content. EtherSnoop also offers basic filtering by protocol type and a tree-style packet explorer. The output can be saved to file and reloaded later if needed. ettercapEttercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.FAP GuardFAP Guard allows DirecPC and DirecWay users to monitor their Fair Access Policy ( FAP ) download level, thus preventing them from getting throttled or disconnected. You might also find this application useful if you are paying for download, or have a download limit imposed by your ISP. It provides some interesting network traffic statistics as well.FanfareSVTThe Fanfare Group delivers one-click test automation™ for communication equipment manufacturers who need to reduce their time to market and improve product quality.FramePadFramePad is a Windows based packet sniffer and protocol analyzer, designed from the ground up with ease and functionality in mind. It allows you to examine data from a live network or from a capture file on disk.FTPXeroxFTPXerox grabs files that are transferred across the network using the FTP protocol. It implements a full end-to-end TCP re-assembly engine that watches for FTP transfers.Gamer's IPX Tunnel (GIT)GIT is a freeware utility to link LANs together over the internet for IPX-based network gameplay. It can also be used to bridge many configurations of IPX packets and frames from once point to another.GIPS IP Network SimulatorThe GIPS IP Network Simulator is a software tool that allows the user to emulate network behavior by delaying and/or dropping packets in an IP-network. Installed in a laptop it can be placed between two LAN’s, two gateways, or any two IP devices and simulate the network conditions experienced by the two end-points.Hammer Call AnalyzerThe Hammer Call Analyzer enables users to visualize signaling and voice quality problems in VoIP networks. For example, the unique call list and multistage call flow display features walk engineers through the legs of a particular call. In addition, the Hammer Call Analyzer displays waveforms and the Stream Quality Signature for any call. HiDownloadHiDownload is a multi-threaded download manager that allows you to download individual files (or lists of files) from web and FTP.HoneydHoneyd is a small daemon that creates virtual hosts on a network that enhances network security by providing "honeypot" decoys that enable network security officers to detect, monitor, and contain unauthorized network activities without the intruder knowing they are being tracked.hpinghping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.HTTP snoop A simple but functional HTTP sniffer application. It will display a few basic information about every "HTTP packet" that it sees on the NIC and decode all basics authentication header entries it finds (both for proxies and for web sites). It will also write everything in the HTTP request that is both in the same packet and before the firs null char.HttpTracerView web traffic between browser and any Internet server. HttpTracer is a windows program that runs as a proxy server on your desktop, catching and displaying all textual commands and data sent and recieved by a web browser. jNetPCAPjNetPCAP is a java library that is a wrapper around WinPcap. What makes this library unique is that it is a comprehensive and accurate wrapper around the libpcap library.JPcapA Java wrapper for WinPcap. It allows Java code to access to the WinPcap (and libpcap on UNIX) calls.IM SnifferIntercepts and decodes all instant message traffic received by the computer. A high performance engine delivers real time message decryption. Conversations can be viewed immediately or saved for later analysis. Freeware. iNetWatcheriNetWatcher© is based on Winpcap, may fully monitor the Internet activity of staff or students, record the E-mail transmitting through the Internet and Web Page; monitor the various real-time chatting messages and IM files sent; monitor the register table, hard disk, system information of the employee's computer; monitor FTP; monitor net flow of all staff. ipInterceptorTrace TCP/UDP Packets on your workstation. View packets in a logical sequence, with requests and responses grouped into conversations (showing the resulting response times). Set filters for tracing. View headers and data in text or HEX format. IpMaster/IpMasterProInternet/Network Ip address & data packet monitor.IP SnifferWindows 2000/XP packet sniffer with replay function. Monitor is a bandwidth analysis utility. Besides giving a graphical illustration of the bandwidth usage on your computer or the network it resides, you get a list of all incoming and outgoing connections. KolSnifferKolsniffer contains a component to write very small self-contained WinPcap applications with Delphi and the Key Object Library framework. The source code is a translation of the Tsniffer class that Umar Sears wrote earlier. The source code is freeware, with the permission of the original author. It was written by . The zip filecontains a demo with sources, that illustrates how to use the component. The Key Object Library framework itself is available fromLaBrea@HomeLaBrea@Home is a version of the original network administrator's tool "LaBrea" for home use. LaBrea is a way to combat both port scanners and worms such as Code Red and Nimda. The original network administrator's "LaBrea" creates phantom machines which hold scanners and worms in a sort of "tarpit", luring them in, and holding onto their communications with what they think are real machines.LeetGeek ICMP TunnelerAn ICMP tunneling program.LibnetLibnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets. It provides a portable and simplified interface for low-level network packet shaping, handling and injection.LibnidsLibnids is an implementation of an E-component of Network Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. Libnids offers IP defragmentation, TCP stream assembly and TCP port scan detection.LineAge UtilsLineAge Utils is tool that allows editing of colored chat, and NPC/mob description in Lineage 2 game. It also has integrated sniffer which allows user to import game character inventory and warehouse into material calculator, which is also part of LineAge Utils.lwIPlwIP is a small independent implementation of the TCP/IP protocol suite. The focus of the lwIP TCP/IP implementation is to reduce the RAM usage while still having a full scale TCP.MSN Protocol AnalyzerMSNProtocol Analyzer(MSNPAnalyzer) is a network utility that can monitor (or capture, monitor) the sessions of MSN Protocol. If you use this program in conbination with SwitchSniffer program, you can capture and see all the MSNP sessions including conversations and MSN commandsMSN Webcam RecorderMSN Webcam Recorder is a tool that allows you to record video streamed to and from your computer by MSN Messenger's Webcam Feature.myNetMonmyNetMon is windows based network monitor and packet analyzing (sniffer).NemesisNemesis is a command-line network packet injection utility for UNIX-like and Windows systems. You might think of it as an EZ-bake packet oven or a manually controlled IP stack. With Nemesis, it is possible to generate and transmit packets from the command line or from within a shell script.Net::Pcap for Win32A Perl interface to the libpcap library. Net::PcapUtils is available on the same site.NETI@homeNETI@home is an open-source software package that collects network performance statistics from end-systems. It has been written for and tested on the Windows, Linux, and Solaris operating systems, with testing for other operating systems to be completed soon. NETI@home is designed to run on end-user machines and will collect various statistics about Internet performance. These statistics will then be sent to a server at the Georgia Institute of Technology (Georgia Tech), where they will be collected and made publicly available.NetCalibratorNetCalibrator offers statistical analysis of captured data in support of performance analysis. The approach being used provides ability to quantify performance issues for small as well as large (>500,000) number of packets. NetPredictorNetPredictor offers monitoring and prediction of application performance. It enables you to build, or to interactively discover, the path between an application user and the server.netwib, netwox and netwagNetwib provides sniff, spoof, client, server and most functions needed by network programs. Toolbox netwox helps to find and solve networks' problems. Netwag is a graphical network toolbox. Netwox and netwag contain over 150 tools.NetWitnessNetWitness gives an organization the ability to quickly understand and respond to network activity of interest, regardless of the device provisioning the data or the application producing the packets.NetworkMinerA passive network monitoring tool for Windows with an easy-to-use graphical interface. NetworkMiner can detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off line analysis. The source code is available as open source.Network packet generatorNetwork Packet Generator (npg) is a free GNU GPL Windows packet injector (generator) that utilizes WinPcap to send specific packets out a single or multiple network interfaces. These packets and other extended options can be defined on the command line, in a packet file, or combination of the two.NeVODetermine vulnerabilities on your network through passive monitoring much like a sniffer. NeVO dynamically learns about your servers, services and vulnerabilities by performing signature and protocol analysis of the observed network sessions.NeWTEasy-to-use windows vulnerability scanner based on Nessus technology. NeWT installs on any Windows 2000 or Windows XP computer and can quickly scan several thousand hosts for vulnerabilities and produce detailed vulnerability reports. ngrepNgrep strives to provide most of GNU grep's common features, applying them to the network layerNmapNTNmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques (determine what services the hosts are offering), and TCP/IP fingerprinting (remote host operating system identification). Nmap also offers flexible target and port specification, decoy scanning, determination of TCP sequence predictability characteristics, sunRPC scanning, reverse-identd scanning, and more.ntopntop is a tool that shows the network usage, similar to what the popular top Unix command does.Nuzzler IDSThe Securepoint Intrusion Detection System (Nuzzler) allows to analyse the network for intrusion detection. Nuzzler can detect possible attacks, viruses, trojans and other bad traffic.Oidview MIB BrowserMIB browser and snmp toolset for network fault management. Free download for network professionals.P2P WatchDogP2P WatchDog is a network sniffer which can monitor and block several Peer-to-Peer file transfer protocols, including FastTrack, Gnutella, DirectConnect, EarthStation5, eDonken, Filetopia, BitTorrent, MP2P, and Overnet.PacanalPacket capture and analyzer program. The source contains a C# reimplementation of the packet.dll WinPcap library. Packet ExcaliburA multi-platform graphical and scriptable network packet engine with extensible text based protocol descriptions.PacketVBIts an ActiveX for use with Visual Basic that wraps the function exported by the WinPcap API (packet.dll). PacketXPacketX is set of ActiveX classes that integrate winpcap packet capture functionality with Visual Basic or anyother programming environment supporting Microsoft ActiveX technology.PacketyzerPacketyzer is a Windows user interface for the Ethereal packet capture and dissection library.PcapyPcapy is a Python extension module that interfaces with WinPcap/libpcap. Pcapy enables python scripts to capture packets on the network. is a .net wrapper for WinPcap written in C++/CLI and C#. It Features almost all WinPcap features and includes a packet interpretation framework. It has different advantages over previously existing WinPcap wrappers and is still in development for new features and bug fixes and is written with pretty high standards of coding.PerformaSureSitraka PerformaSure allows J2EE development teams to identify sources of performance problems within an assembled application. PerformaSure coordinates the collection of performance metrics for any given transaction, following the path of execution from the initial HTTP request through load balancers, application servers, to the database and back again.PI IT MonitorPI IT Monitor collects real-time information regarding the performance of various elements that compose an IT infrastructure. But in addition to collecting real-time values, PI IT Monitor archives such data and makes them available for use in reporting, analysis, troubleshooting, and decision making.PingPlotterPingPlotter is a network troubleshooting and diagnostic tool. It uses a combination of traceroute, ping, and whois to collect data quickly, and then allows you to continue to collect data over time to give you the information you really need to identify problems (both short-term and long-term trends).PromiScanSoftware for remotely monitoring computers on local networks to locate network interfaces operating in a promiscuous mode.PortScannerA TCP port scanner.PSentry Internet Policy Guard & SurveillancePSentry sniffs network traffic at gateway point, captures and records user activites like web surf, emails, web submissions, instant messager sessions (AOL aim, MSN, ICQ, Yahoo, QQ, googletalk). It can log or block ftp, p2p file transfers. PSentry deloys different Internet policies by IP/MAC address or by user, to controls which resource or servce is permited or blocked on a LAN.Pseud IP MasqueradePseud IP Masquerade is a Windows application and NT/2000 Serivce, that has some basic functions of "IP Masquerade".pypcapsimplified object-oriented Python extension module for libpcap - the current version, the legacy version shipping with some of the BSD operating systems, and the WinPcap port for Windows.QtNetworkMonitorThe project is a KISS network monitor that works under both Windows and Linux. It shows how much bandwidth you are taking on a daily basis.rawstuffrawstuff is a toolkit for totally raw (MAC level and with no TCP/IP installed) send and receive on Windows. SatoriSatori is a passive OS Fingerprinting tool for Windows. Unlike most other passive tools it parses and tries to use the following protocols for OS Identification: CDP, DHCP, EIGRP, HPSP , HSRP, ICMP, IGMP, HTTP, MDNS, OSPF, SAP, SCCP, SMB, SNMP, STP, TCP, and UPNP with new protocols being added from time to time.Show TrafficShow Traffic monitors network traffic on the chosen network interface and displays it continuously. It could be used for locating suspicious network traffic or to evaluate current utilization of the network interface.SIMHSIMH is a highly portable, multi-system simulator.SniphereSniphere is an another network wiretapping program for Windows using winpcap. Nevertheless, Sniphere is a pretty handy program with a lot of possibilities which most of free sniffers do not have.SmartSniffSmartSniff allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers. You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump.snoopSnoop is component library encapsulating WinPcap used in Delphi.SnoopAnalyzerSnoopAnalyzer Standard is a network protocol analyzer based on network data capturing technology under Microsoft Windows platforms(95/98/Me/2000/NT/XP).SnoopMSNBlockSnoopMSNBlock is a software to block MSN messenger service used in your company. SnoopNetCoopSnoopNetCop Standard is a program that can detect possible packet sniffing attack on your network. snortSnort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis andpacket logging on IP networks.snotSnot is an arbitrary packet generator, that uses snort rules files as its source of packet information. It can be used asan IDS evasion tool, by using specific decoy hosts, or just something to keep your friendly IDS monitoring staff busy. SOAPscopeSOAPscope is a Web services diagnostic system that collects and analyzes information about SOAP and WSDL by monitoring communications among SOAP endpoints.ssldumpssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.STINGA NGN Monitor:Protocol analyser focusing on SS7oIP from Utel Systems. Protocols like ISUP (ITU, ANSI, UK), SCCP, TCAP, MAP, INAP, CAP/CAMEL, SMS, IS-41, Megaco/H.248, MGCP, SIP, SDP, RTP, SIP-T (ITU, ANSI, UK, DPNSS/DASS2), SCTP,M2PA, M2UA, M3UA, SUA, IAU, DUA, V5UA, TCP, UDP, IP and others are decoded in detaild by this product.STINGA SIP SimulatorProtocol simulator for SIP and SDP protocol testing.SuperAgentThis product from NetQoS analyzes application response times without the need to deploy client-side agents. TCPKillNTTCPKillNT is a TCP connection "Reset" utility for Microsoft Windows NT platforms. It has the ability to send RST packets to already established TCP connections. Quite deadly on a LAN. It is very useful for IDS kind of products which need to terminate a TCP session.tingting is an OSI layer 4 connectivity assurance tool. It supports UDP multicast, unicast and TCP/IP. It makes use of the packet capture library to perform passive multicast monitoring.TJesNetMonitorBorland C++ Builder wrapper for WinPcap. Comes with a sample application.TraceDetTraceDet is a Traceroute Detector for Windows NT. Basically, it detects and logs if somebody trace routes to your host. The idea is that when somebody traces to your host, you receive IP packets with TTL value equal to 1. So, TraceDet looks out for suchpackets.tracetcptracetcp is a command line traceroute utility for WIN32 that uses TCP SYN packets rather than ICMP/UDP packets that the usual implementations use, thus bypassing gateways that block traditional traceroute packets.TrafficStatisticMZL & Novatech TrafficStatistic shows the consumed traffic volume comfortably in system tray.TrafficWatcherA tool to measure network traffic by service (FTP, mail, news, web, UDP etc)TrafMeterTrafMeter is an utility for accounting and realtime monitoring of Internet traffic to and from a local network. It includes flexible filter engine, extensive logging facility and friendly user interface.uIPuIP is an implementation of the TCP/IP protocol stack intended for small 8-bit and 16-bit microcontrollers. It provides the necessary protocols for Internet communication, with a very small code footprint and RAM requirements - the uIP code size is on the order of a few kilobytes and RAM usage is on the order of a few hundred bytes.Unsniff Network AnalyzerUnsniff features brand new visualization of packet data, advanced reassembly capabilities, full stream monitoring and several other enhancements over the current crop of network analyzers. What really sets Unsniff apart is its Scripting capabilities. Unsniff allows you to write your own network analysis scripts using the Ruby scripting language.You can also write powerful protocol handlers and other types of plugins using XML and/or C++. Unsniff is even available in Japanese.Url SnooperUrl Snooper is a a program written to help users locate the urls of audio and video files so that they can be recorded. VB.PCAPVB.PCAP is an "Open Source and completely free" packet capture library for Visual Basic (tested on VB5 andVB6, not tested on ) based on Winpcap. The library exposes a set of APIs, that wrap aroud Winpcap using the _stdcall convention. The library is the foundstone for a network analyzer in VB.Viper ChatViperChat is a FREE LAN chat client compatible with Vypress Chat™ protocol version 1.93. It uses UDP communication over WinPcap.VLADescu VLADescu is a network content sniffer, it is currently able to recognize gif, jpeg and audio mpeg files. VLADescu listens to network traffic and picks out images and mp3s from sniffed TCP streams. It can be used on local LAN or on wireless network (if your driver supports promiscuous mode, or even better, monitor mode).WallCoolerWallCooler is a powerful and flexible VPN solution to access Home or Office computers & networks from anywhere. All Windows based applications are supported, no need to use special applications or synchronize files. Users can remote access organization's databases, e-mails, remote desktops, product catalogue... from anywhere. WallCooler sits on the local company network, uses an existing Internet connection and automatically manages incoming connections via relay servers.Warp PipeWarp Pipe is free software that runs on your PC or Mac and is available for Windows, Mac OSX, Linux, and BSD operating systems. While running on your PC or Mac, Warp Pipe allows you to play LAN-enabled Nintendo GameCube games over the Internet with other GameCube gamers.Watt-32Watt-32 is a library for making networked TCP/IP programs in the language of C and C++ under DOS and Windows-NT. WebSnurfWebsnurf is a small application that follows a user web-surfing; that is to say, as you run WebSnurf on your PC, you can pursue web-surfing movements made on another PC. Obviously, you have to be connected over the same LAN.Win32::NetPacketWin32::NetPacket is an Object-Oriented interface to the WinPcap packet.dll library.Windows ARP SpooferWindows ARP Spoofer (WinArpSpoof) is a program that can scan the computers including network devices and can spoof their ARP tables on local area network and can act as a router while pulling all packets on LAN.Windows ToolboxThe Windows Toolbox is a comprehensive collection of software and information for Windows - a toolbox of high quality applications and utilities for a wide array of functions, all freely re-distributable and under Free, Open Source, Freeware, Shareware or similar licences; documents on installing, configuring and maintaining Windows and various software applications, for stability, performance, usability and security.WindumpWinDump is the Windows version of the famous tcpdump Unix tool. It's developed and maintained by the WinPcap team. WinfingerprintWinfingerprint is a Win32 Host/Network Enumeration Scanner. Winfingerprint is capable of performing SMB, TCP, UDP, ICMP, RPC, and SNMP scans.WinPcapArpWinPcapArp is ARP client library that works on Windows OS(NT and 2000). The main purpose of this library is to get a MAC address of the target ethernet NIC with the IP address.WinPcapDhcpCDWinPcapDhcpCD is a DHCP client demon library that works on Windows OS (NT and 2000). The purpose of this library is to get more than one IP addresses in your application program.winpcapyPython port of Winpcap functions using ctypes. Work with Python 2.x and 3 under Linux / Windows. This is a low level implementation, no object or pythonic way, so you need ctypes knowledge to use it.WinSniffWinSniff is an application for capturing packets on the network. It displays all the packets that are transmitted on the local network and gives detailed information about each header in the packet.WinWhifWinWhif allows any PC running Windows (95, 98, NT or 2000) to record the DICOM traffic between two machines on the same network. It can be useful in diagnosing DICOM communications problems.Wireshark/EtherealWireshark (formerly known as Ethereal) is the world's most popular network analyzer. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.wpa_supplicantwpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11authentication/association of the wlan driver.WIRE1xWIRE1x is an open source implementation of IEEE 802.1x client (supplicant). It supports various EAP authentication methods.YATTYATT is a project to replace the current proliferation of trace tools ( tcpTrace, proxyTrace, pcapTrace ), with a single extensible tracing tool. YATT features a new GUI built with WTL, complete with a Hex View mode, and currently ships with 2 Trace providers, one based on WinPCAP and one based on the W2K Raw sockets support.YorkYork logs ip/fqdn addresses if all traffic. It can save sniffed http and ftp files. Also you can sniff for HTTP, FTP, POP3, SMTP, SMB, VNC and AIM password/hash. Further you can see the web browsing from other users, so your browser will show the same pages as the selected user. A screensaver is included, it shows the pictures which are sniffed in a slide show manner.。

WinPcap网络分析的体系结构方松茂李祥（贵州大学计算机软件与理论研究所贵阳550025）摘要：WinPcap是一个包含了一套与libpcap兼容的捕获网络数据包的函数库，在各种不同的网络分析工具、故障工具、安全工具和监听工具开发中被广泛使用；本文首先介绍WinPcap，分析其体现结构，并通过捕获、发送网络数据包实例说明该函数库的使用方法。

关键词: WinPcap , LibPcap, 结构体系，网络分析WinPcap是一个包含了一套与libpcap兼容的捕获数据包的函数库。

这套函数库是由加州大学和Lawrence Berkeley实验室及其投稿者联合开发的。

他们在1999年3月31日推出了1.0版，提供了用户级BPF过滤；1999年8月21日推出了2.0版，将BPF过滤增加到内核中并增加了内核缓存；2001年3月15日推出了2.1版，该版对libpcap0.5.2进行了升级，并可支持更多的网络类型；2001年1月30日推出了2.2版；2002年3月28日推出了2.3版；2003年1月10日推出了最新的3.0版，增加了NPF设备驱动的一些新的特性及优化方案、在wpcap.dll 中增加了一些函数等等功能。

1 带内核驱动模式的WinPcap及其功能进行网络分析的应用程序依赖于一套适当的指令来捕获网络中的数据包，监听网络等等。

几乎所有的Unix系统版本都含有至少是支持捕获分组的内核模块。

在Windows中有一些API有自己的内核模块，然而它们都有一些局限。

例如，Netmon API不是免费的，其扩展性很有限，而且它不允许发数据包。

IP过滤驱动程序只在Windows2000上有效，它除了IP协议外不支持任何其他协议。

它允许操作或丢弃数据包但不允许监听和产生数据包。

PCAUSA[11]是一套商业化的产品，它提供一个捕获包的接口及兼容BPF的过滤器。

然而，用户的接口都很底层，没有提供类似于产生过滤器的抽象函数。

Winpcap使用介绍1. Winpcap简介Winpcap（windows packet capture）是在Win32平台上的强大的、有较好扩展性的底层网络分析体系结构，是Unix下的lipbcap移植到windows下的产物，是Win32环境下数据包捕获的开放代码函数库。

Winpcap是第一个Win32开放式的捕获包的体系结构，能够支持大多数应用程序的需要。

如图A-1所示，Winpcap包含了一个内核级的数据包过滤器——NPF (Netgroup Packet Filter)、一个底层动态链接库（Packet.dll）和一个高层的独立于系统的库（Wpcap.dll）。

这三个模块中，NPF属于内核级，其他两模块属于用户级。

图A-1 Winpcap的结构图NPF模块过滤数据包，将数据包不做任何改动的传递给用户，它还包含了一些操作系统专用代码（如：时间戳管理）。

Packet.dll模块提供了Win32平台下的捕获包的驱动接口。

实际上，不同版本的Windows 都提供了不同的内核模块和应用程序之间的接口函数，Packet.dll有一套独立于系统的API 来处理这些差异。

基于Packet.dll编写的程序可以不经过重新编译就在各种Win32平台下实现捕获数据包。

Packet.dll还包含了其他一些函数。

它可以进行一些底层的操作，Packet.dll和NPF都依赖于操作系统，并且由于Windows95/98和WindowsNT/2000之间操作系统结构的不同而在不同版本的操作系统上有所不同。

Wpcap.dll库不依赖于操作系统，并且它包含了一些其它高层的函数，比如：过滤器生成器、用户定义的缓冲区和高层特性（数据统计和构造数据包）。

Winpcap提供的功能包括四个方面：1)捕获原始数据包，包括在共享网络上各主机发送/接收的以及相互之间交换的数据包；2)在数据包发往应用程序之前，按照自定义的规则将某些特殊的数据包过滤掉；3)在网络上发送原始的数据包；4)收集网络通信过程中的流量信息。

WinpCap的详解（一）首先来百科一下Winpcap是一个什么东东。

Winpcap(windows packet capture)是windows平台下一个免费，公共的网络访问系统。

它有如下几个功能：1、捕获原始数据包，包括在共享网络上各主机发送/接收的以及相互之间交换的数据；2、在数据包发往应用程序之前，按照自定义的规则将某些特殊的数据包过滤掉；3、在网络上发送原始的数据包；4、收集网络通信过程中的统计信息。

从上面的功能来看，这个库文件提供了许多的API函数，可以让我们捕获网络上的数据包以及统计网络通信的信息。

为了更直观的反应这个库文件的作用，我们来看看利用这个库文件写出来的一个应用软件，wireshark。

界面如下图所示，这个界面只是捕获数据的一个小界面，里面有很多的设置，有兴趣可以下载一个试试。

他能统计在一个局域网的所有网络信息。

这里面重要一点，需要提醒的是：winpcap的主要功能在于独立于主机协议（如TCP-IP)而发送和接收原始数据包。

也就是说，winpcap不能阻塞，过滤或控制其他应用程序数据包的发收，它仅仅只是监听共享网络上传送的数据包。

也就是说，WinpCap主要功能不能截取网络中的数据，他只能监听里面的数据。

对于WinpCap的结构以及原理，我们自然可以不用理会啦，我们只需要知道他的用途就行啦！一、安装WinpCap1、首先我们来看看如何安装WinpCap这个库，首先是下载WinpCap安装文件，这里有许多的版本，可以在官网上下载，，这里重点提醒一下，特别需要注意一下版本，如果你的版本是4.02，那么你的安装包也必须下载对应的版本，这里特别注意下，你可以下载当前比较稳定的版本。

下载之后安装就ok啦！这里我用的是WinpCap4.02.2、下载WinpCap Develop's Packs，这里我也提供相同的版本WpdPack4.02.3、解压后会得一个目录WpdPack四个子目录：docsExamples-pcapExamples-remoteIncludeLib然后配置VC++tools --> options --> Projects and Solutions --> VC++ Directories :Include files ：WpdPackPath\includeLibrary files：WpdPackPath\lib4、经过上面的步骤之后，你的WinpCap应该就安装成功啦，之后就是运行一下里面提供的例程啦，如果有什么问题，就对应的把问题在网上查一查，总体来说有以下几个问题：第一个就是需要在工程的链接库上添加wpcap.lib链接库；第二个就是你的SDK太老了，需要添加更新你的SDK，相应的到官方网站上下载适合你电脑的SDK。

一)数据结构• 1) typedef struct _ADAPTER ADAPTER//描述一个网络适配器；•2) typedef struct PACKET PACKET 结构；//描述一-组网络数据报的•3) typedef struct NctTypc NctTypc//描述网络类型的数据结构;•4) typedef struct npf_if_addr npf_if_addr ip地址;〃描述一个网络适配器的•5) struct bpf hdr//数据报头部；•6) struct bpf_stat //当前捕获数据报的统计信息。

函数1) int pcap_findalldevs ( pcap_if_t ** alldevsp, char * errbuf) 功能：列出当前所有可用的网络设备(网卡) 所在头文件：pcap. h参数说明：pcap_if_t ** alldevsp 指向pcap_if_t结构列表的指针的地址。

实际使用时，声明一个pcap_if_t结构的指针(pcap_if_t * alldevsp),然后把该地址作为参数传入即可(&alldevsp)。

char * errbuf 错误缓冲区，要求长度至少为PCAP_ERRBUF_SIZE字节返回值：一1：出错，将会向错误缓冲屮填充错误信息，错误信息为ASCII码, 可以直接打印出来。

0：正确返回，可以使用alldevsp访问所有网络硬件pcap_i f 的结构Struct pcap_if {struct pcap_if *next;char *name;chat ^description;struet pcap_addr address;u_int flags;也可以用pcap_if_t代替pcap if2)pcapt * pcapopen_live ( char * device, int snaplen, int promisc, int to_ms, char * errbuf );获取一个包捕捉句柄，类似文件操作函数使用的文件句柄。

物联网技术 ２０１８年　／　第２期 ５４0 引 言战术网络是由指挥车、战车等多用途车辆，以其车内局域网为节点组成的广域网络。

采用各种战术电台通信，其环境情况由于复杂的电磁干扰和快速移动的自身特点而多变，通信保障人员需要随时掌握战场通信网络态势，因此提供一种行之有效的网络性能管理方法至关重要。

网络管理系统的性能指标包括系统吞吐率、链路使用率、网管消息的延迟时间、丢包率、网管消息的冗余度等[1]。

网络流量监控是网络性能管理的一个重要方法，包括实时获悉流量信息，长时间的流量收集、分析与统计，为网络管理人员提供带宽规划与趋势分析报告等[2]。

通常采用的网络流量监控技术包括基于网络流量全镜像监测技术、基于SNMP 的监测技术和基于NetFlow 的监测技术[3]。

上述三种技术各有优缺点，均需依赖网络设备提供硬件支持。

战术环境下网络设备通常会处理多种设备的报文交换和其他数据交互，网络设备负荷较重，且通信链路带宽较窄，研究一种不依赖网络设备、尽可能减少带宽占用的网络流量监测方法能够有效提高战术网络环境中的网络性能管理。

本文针对战术通信环境的特点设计了一种基于WinPcap [4]的分布式数据包捕获分析系统，以减轻网络设备负荷，高效、快速的对车内局域网的网络性能状况进行监控和数据包分析，为通信人员提供决策辅助。

通过逐级上报，将各节点网络性能数据汇总到网络管理中心后进行统计分析即可明确全网性能态势。

1 战术环境下的通信系统特点分析战术通信环境可视为一个广域网，由多种有线网、无线电台网和野战局域网组成。

野战局域网分布于不同用途的车辆中，由多种通信设备，一台交换设备（网关）和一至多台战术终端和服务器构成。

数据由终端和服务器产生，经网关由通信设备传输至广域网。

战术通信以大量电台作为通信手段，但其通信带宽有限，网络拓扑动态变化，移动设备的计算能力有限[5]；战场电磁环境复杂，干扰严重，影响数据传输，丢包率较高[6]；由于网关承担了对外数据交换的任务，导致网关负荷较重。

Winpcap的体系结构与性能研究杨虹;陈威【摘要】Winpeap includes a set of innovative features （such as packet monitoring and packet injection） that are not available in previous systems. This paper presents the details of the architecture and it shows its excellent performance.%Winpcap有一系列创新（如数据包监视和数据包注入）的特点，这在以前的操作系统中是见不到的。

介绍了Winpcap的系统结构及其功能。

【期刊名称】《微型机与应用》【年(卷),期】2012(031)009【总页数】5页(P5-8,11)【关键词】Winpcap;数据包监测;数据包注入【作者】杨虹;陈威【作者单位】重庆邮电大学,重庆400065;重庆邮电大学,重庆400065【正文语种】中文【中图分类】TN828.6网络分析软件通常依赖底层调用抓取数据包，进行数据包监视或流量分析等。

大多数的Unix系统都提供这些功能（至少是数据包抓取），而Windows提供的这些功能却不令人满意。

Windows提供了一些与各种内核组件相关的API，但这些API存在严重的缺陷，如并不是所有的Netmon API都可用，而且其扩展存在很多限制。

IP过滤驱动程序（IP filterdriver）只存在 Windows 2000及以上系统中，而且它只支持IP协议，虽然它能够控制和丢弃数据包但却不能监测和构造数据包。

PCAUSA提供了一个商业产品，该产品含有数据包捕获和BPF兼容的过滤器，然而它的用户接口处于底层且没有提供过滤器构造这样的抽象方法。

随着原本在Unix系统上的应用不断转向Windows系统，这些特性的缺失成了不可忽视的问题。