【发布时间】:2016-01-24 13:46:51
【问题描述】:
我正在尝试计算从捕获的数据包到前一个数据包的延迟,两者都来自同一个连接。 我使用的是单链表,每个节点对应一个连接;我区分从 IP1 到 IP2 的数据包和从 IP2 到 IP1 的数据包:我使用一个节点来表示连接的方向(IP1 到 IP2),另一个节点来表示连接的相反方向(IP2 到 IP1)。 我总是在列表末尾添加。
我的结构节点如下:
typedef struct node {
unsigned int num_pkt; // number of packets coming/going in this connection
u_int8_t protocol;
u_int32_t saddr;
u_int32_t daddr;
u_int16_t sport;
u_int16_t dport;
struct timeval time_begin; // first timestamp when I got pkt from this connection
struct timeval time_end; // last timestamp when I got pkt from this connection
struct timeval old_ts; // temporary timestamp to calculate delay
struct node *next;
} node;
全局指针变量,用于获取列表的第一个和最后一个节点:
node *head = NULL;
node *current = NULL;
这是pcap_loop每次收到数据包时调用的回调函数的伪代码:
void my_callback(u_char *arg, const struct pcap_pkthdr* pkthdr, const u_char* packet)
{
++count;
int length_packet = sizeof(packet);
const struct ether_header *ethh;
const struct iphdr *iph;
const struct tcphdr *tcph;
const struct udphdr *udph;
unsigned short int iphdrlen;
node *tmp; // to iterate over the list
int protocol, sport, dport;
unsigned long int delay;
ethh = (struct ether_header *)packet;
if (ntohs(ethh->ether_type) == ETHERTYPE_IP) {
iph = (struct iphdr*)(packet + sizeof(struct ether_header));
iphdrlen = iph->ihl*4;
protocol = (iph->protocol);
switch (protocol) {
case 6:
tcph = (struct tcphdr *)(packet + sizeof(struct ether_header) + iphdrlen);
sport = ntohs(tcph->th_sport);
dport = ntohs(tcph->th_dport);
break;
case 17:
udph = (struct udphdr *)(packet + sizeof(struct ether_header) + iphdrlen);
sport = ntohs(udph->uh_sport);
dport = ntohs(udph->uh_dport);
break;
default:
break;
}
/* If the list is empty, add first node, fill it and update pointers */
if (head == NULL ) {
node *new_node = (node *)malloc(sizeof(node));
if (new_node == NULL) {
printf("MALLOC ERROR\n");
exit(1);
}
new_node->time_begin.tv_sec = pkthdr->ts.tv_sec;
new_node->time_begin.tv_usec = pkthdr->ts.tv_usec;
new_node->old_ts.tv_sec = pkthdr->ts.tv_sec;
new_node->old_ts.tv_usec = pkthdr->ts.tv_usec;
new_node->time_end.tv_sec = 0;
new_node->time_end.tv_usec = 0;
new_node->num_pkt = 1;
new_node->protocol = protocol;
new_node->saddr = ntohl(iph->saddr);
new_node->daddr = ntohl(iph->daddr);
new_node->sport = sport;
new_node->dport = dport;
new_node->next = NULL;
head = current = new_node;
} else {
tmp = head;
while (tmp != NULL) {
if ((tmp->saddr == ntohl(iph->saddr)) && (tmp->daddr == ntohl(iph->daddr)) &&
(tmp->protocol == protocol) && (tmp->sport == sport) && (tmp->dport == dport)) {
tmp->bts = tmp->bts + length_packet;
tmp->num_pkt = tmp->num_pkt+1;
char src_addr[INET_ADDRSTRLEN], dst_addr[INET_ADDRSTRLEN];
/* Function I made, it uses inet_ntop */
get_src_addr(src_addr, iph);
get_dst_addr(dst_addr, iph);
/* How do I calculate delay: getting the total amount of microsecs
from the timeval inside pcap_pkthdr which contains the timestamp
of the caught packet and subtracting to it the total amount of microsecs
from the old_ts timeval, which contains the timestamp of the previous packet
coming from the same connection */
delay = ((long)(pkthdr->ts.tv_sec*1000000)+pkthdr->ts.tv_usec) - ((long)(tmp->old_ts.tv_sec*1000000)+tmp->old_ts.tv_usec);
printf("%d; %s:%u > %s:%u update timeval: %ld <- %ld (secs), %ld <- %ld (microsecs); delay = %ld\n",
tmp->num_pkt, src_addr, tmp->sport, dst_addr, tmp->dport, tmp->old_ts.tv_sec, pkthdr->ts.tv_sec,
tmp->old_ts.tv_usec, pkthdr->ts.tv_usec, delay);
/* updating old timestamp */
tmp->old_ts.tv_sec = pkthdr->ts.tv_sec;
tmp->old_ts.tv_usec = pkthdr->ts.tv_usec;
tmp->time_end.tv_sec = pkthdr->ts.tv_sec;
tmp->time_end.tv_usec = pkthdr->ts.tv_usec;
return;
} else {
tmp = tmp->next;
}
}
/* If we are here, we are at the end of the list and since
none of the previous packets matches IP address and ports of the new one
caught, we have a new connection. Allocating new node and filling it */
node *new_node = (node *)malloc(sizeof(node));
if (new_node == NULL) {
printf("MALLOC ERROR\n");
exit(1);
}
new_node->time_begin.tv_sec = pkthdr->ts.tv_sec;
new_node->time_begin.tv_usec = pkthdr->ts.tv_usec;
new_node->old_ts.tv_sec = pkthdr->ts.tv_sec;
new_node->old_ts.tv_usec = pkthdr->ts.tv_usec;
new_node->num_pkt = 1;
new_node->protocol = protocol;
new_node->saddr = ntohl(iph->saddr);
new_node->daddr = ntohl(iph->daddr);
new_node->sport = sport;
new_node->dport = dport;
new_node->time_end.tv_sec = 0;
new_node->time_end.tv_usec = 0;
new_node->next = NULL;
current->next = new_node;
current = new_node;
}
}
这是输出的片段,仅用于一个连接:
996; 93.62.101.12:443 > 10.0.0.12:55653 update timeval: 1445773040 <- 1445773040 (secs), 133332 <- 133334 (microsecs); delay = 2
997; 93.62.101.12:443 > 10.0.0.12:55653 update timeval: 1445773040 <- 1445773040 (secs), 133334 <- 133334 (microsecs); delay = 0
998; 93.62.101.12:443 > 10.0.0.12:55653 update timeval: 1445773040 <- 1445773040 (secs), 133334 <- 133336 (microsecs); delay = 2
999; 93.62.101.12:443 > 10.0.0.12:55653 update timeval: 1445773040 <- 1445773040 (secs), 133336 <- 133507 (microsecs); delay = 171
1000; 93.62.101.12:443 > 10.0.0.12:55653 update timeval: 1445773040 <- 1445773040 (secs), 133507 <- 135646 (microsecs); delay = 2139
1001; 93.62.101.12:443 > 10.0.0.12:55653 update timeval: 1445773040 <- 1445773040 (secs), 135646 <- 135652 (microsecs); delay = 6
1002; 93.62.101.12:443 > 10.0.0.12:55653 update timeval: 1445773040 <- 1445773040 (secs), 135652 <- 135852 (microsecs); delay = 200
1003; 93.62.101.12:443 > 10.0.0.12:55653 update timeval: 1445773040 <- 1445773040 (secs), 135852 <- 135654 (microsecs); delay = -198
在数据包编号 1003 中,我得到 -198 微秒的负延迟;这是因为 pcap_pkthdr 结构中的时间戳比旧时间戳的微秒数更少,从而导致负值。
知道为什么最近的时间戳比旧的时间戳少吗?
【问题讨论】: