制作自己专属的抓包工具

article/2025/9/28 14:10:17

Wireshark是一个强大的抓包分析工具，制作自己的抓包工具可以基于Wireshark的插件机制做二次开发，也可以基于WinPcap的开发包来开发，WinPcap本质上是基于NDIS驱动程序接口规范开发的(NDIS是Network Driver Interface Specification的简写)。

这里记录的是基于C/C++和WpdPack二次开发包的方法。供大家参考。

由于驱动需要签名才能使用，签名费用昂贵，个人开发者可以使用开源的签名驱动，比如基于NDIS的驱动有OpenVPN开源的可以使用，也有Wireguard开源的WinTun驱动可以使用。

下面我会贴出具体的实现源码

Linux下的开发包下载地址

Home | TCPDUMP & LIBPCAPhttps://www.tcpdump.org/https://www.tcpdump.org/release/libpcap-1.10.1.tar.gzhttps://www.tcpdump.org/release/libpcap-1.10.1.tar.gz

windows下的开发包下载地址：

https://www.winpcap.org/install/bin/WpdPack_4_1_2.ziphttps://www.winpcap.org/install/bin/WpdPack_4_1_2.zip WinPcap · Developer Resourceshttps://www.winpcap.org/devel.htm


#include "pcap.h"#include <string.h>
#include <Windows.h>
#include <winsock.h>
#include <process.h>#pragma comment(lib, "wpcap.lib")
#pragma comment(lib, "Ws2_32.lib")#define LINE_LEN 16
#define MAX_ADDR_LEN 32char macaddr[128] = { 0 };
int  total_send = 0;
int  total_recv = 0;
#define  RECV_DIR  1
#define  SEND_DIR  2int  flowSecondRecv[2] = { 0 };
int  flowSecondSend[2] = { 0 };int  flowMinuteRecv[61] = { 0 };
int  flowMinuteSend[61] = { 0 };int  flowHourRecv[25] = { 0 };
int  flowHourSend[25] = { 0 };int  flowDayRecv[32] = { 0 };
int  flowDaySend[32] = { 0 };//存放上60分钟的数据
int  _flowMinuteRecv[61] = { 0 };
int  _flowMinuteSend[61] = { 0 };
//存放上24小时的数据
int  _flowHourRecv[25] = { 0 };
int  _flowHourSend[25] = { 0 };
//存放上30天的数据
int  _flowDayRecv[32] = { 0 };
int  _flowDaySend[32] = { 0 };void dumpData()
{}void updateData(int dir, int len )
{time_t local_tv_sec = time(0);struct tm* ltime = localtime(&local_tv_sec);if (dir == RECV_DIR) {if (flowSecondRecv[0] == local_tv_sec) {flowSecondRecv[1] += len;//单位字节}else {flowSecondRecv[0] = local_tv_sec;flowSecondRecv[1] = len;//单位字节}if (flowMinuteRecv[0] == ltime->tm_hour) {flowMinuteRecv[ltime->tm_min + 1] += len;//单位字节}else {memcpy(_flowMinuteRecv, flowMinuteRecv, sizeof(flowMinuteRecv));memset(flowMinuteRecv, 0, sizeof(flowMinuteRecv));flowMinuteRecv[0] = ltime->tm_hour;flowMinuteRecv[ltime->tm_min + 1] = len;//单位字节}if (flowHourRecv[0] == ltime->tm_mday){flowHourRecv[ltime->tm_hour] += len;//单位字节}else {memcpy(_flowHourRecv, flowHourRecv, sizeof(flowHourRecv));memset(flowHourRecv, 0, sizeof(flowHourRecv));flowHourRecv[0] = ltime->tm_mday;flowHourRecv[ltime->tm_hour +1] = len;//单位字节}if (flowDayRecv[0] == ltime->tm_mon) {flowDayRecv[ltime->tm_mday] += len;}else {memcpy(_flowDayRecv, flowDayRecv, sizeof(flowDayRecv));memset(flowDayRecv, 0, sizeof(flowDayRecv));flowDayRecv[0]