前一陣子要寫一個簡單的arp協議的分析程序，在翻閱了一些資料以后，決定使用libpcap庫來實現，但是后來涉及到寫鏈路層數據的緣故（另外一個程序，這個程序就是發送一個假冒的arp request,在本文沒有實現，今后有空再整理吧），所以放棄了libpcap。由于本人使用的是solaris環境，所以無法使用bpf，但是sun公司仍然為開發者提供了一個與設備底層無關的接口DLPI，DLPI的全稱是Data Link Provider Interface，通過DLPI開發者可以訪問數據鏈路層的數據包，在早期的sunos系統中基本上采用的是NIT設備，但是現在solaris系統都使用了DLPI.關于DLPI的具體介紹大家可以訪問網站www.opengroup.org/pubs/catalog/c811.htm，我這里就不多說了。
在搜索了許多資料之后發現目前關于DLPI的編程資料不多，沒有具體的過程，后來翻閱了Neal Nuckolls寫的一篇文章How to Use the STREAMS Data Link Provider Interface (DLPI)，根據例子做了修改（主要是提供了協議分析的部分），現在把編寫一個DLPI過程共享一下，希望能對大家有所幫助。建議大家可以先看看Neal Nuckolls的文章，其中有部分涉及到流編程的，可以參考http://docs.sun.com/app/docs/doc/816-4855的streams programming guide（不過這不是必須的）。
使用DLPI來訪問數據鏈路層有幾個步驟：
1、打開網絡設備
2、將一個流 attach到一個特定的設備上，這里就是我們剛才打開的設備
3、將設備設置為混雜模式（可選）
4、把數據鏈路層sap綁定到流
5、調用ioctl,設置raw模式
6、配置其他模塊（可選）
7、刷新緩存
8、接收數據進入分析階段
第一步，我們首先打開一個網絡設備，在本例中我們打開的是/dev/bge設備，這是本機的網絡接口，注意不是/dev/bge0，通過open調用打開，并且返回一個描述符
fd=open(device, 2)
第二步，attach一個流到設備上，這是通過發送DL_ATTACH_REQ原語來完成的
dlattachreq(fd, ppa)
int fd;
u_long ppa;
{
dl_attach_req_t attach_req;
struct strbuf ctl;
int flags;

attach_req.dl_primitive = DL_ATTACH_REQ;
attach_req.dl_ppa = ppa;

ctl.maxlen = 0;
ctl.len = sizeof (attach_req);
ctl.buf = (char *) &attach_req;

flags = 0;

if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
syserr("dlattachreq:  putmsg");
}
dl_attach_req_t是一個定義在dlpi.h中的結構體，我們通過填寫結構體來發布原語，putmsg將消息發送到一個流，以上這個函數是DLPI中發布原語的主要格式
發布了DL_ATTACH_REQ原語之后，還要確認是否成功，
dlokack(fd, bufp)
int fd;
char *bufp;
{
union DL_primitives *dlp;
struct strbuf ctl;
int flags;

ctl.maxlen = MAXDLBUF;
ctl.len = 0;
ctl.buf = bufp;

strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlokack");

dlp = (union DL_primitives *) ctl.buf;

expecting(DL_OK_ACK, dlp);

if (ctl.len < sizeof (dl_ok_ack_t))
err("dlokack:  response ctl.len too short:  %d", ctl.len);

if (flags != RS_HIPRI)
err("dlokack:  DL_OK_ACK was not M_PCPROTO");

if (ctl.len < sizeof (dl_ok_ack_t))
err("dlokack:  short response ctl.len:  %d", ctl.len);
}
第三步，將設備設置為混雜模式下工作（可選）
dlpromisconreq(fd, DL_PROMISC_PHYS);
這一個步驟也是通過發布DLPI原語來實現的，具體代碼后面給出
第四步，綁定流
dlbindreq(fd, sap, 0, DL_CLDLS, 0, 0);
dlbindack(fd, buf);
第五步，設置raw模式
strioctl(fd, DLIOCRAW, -1, 0, NULL)
第六步，配置其他模塊（在詳細代碼中給出）
第七步，刷新數據，這是通過ioctl調用實現的
ioctl(fd, I_FLUSH, FLUSHR)
第八步，這是我們最關心的步驟，實際上，前面的這些步驟我們都可以忽略，大致明白有這么個過程就可以了，到時候寫代碼的時候照搬這個框架就可以。使用DLPI編程并不難，關鍵在于大家要了解它的框架，沒必要非得自己去寫一個框架來，本文就是利用了Michael R. Widner的代碼,今后如果要增加功能只需要往這個框架里填就可以了。
協議分析的過程是在函數filter完成的，函數申明如下
void filter(register char *cp,register u_int  pktlen);
該函數接收兩個參數，cp是直接從設備緩存里拷貝過來的待分析數據，是鏈路層的封裝數據，pktlen是數據的長度。在本文中由于操作環境是以太網，因此接收的數據鏈路層數據是以太網封裝格式，如不清楚以太網封裝的可以參考《TCP/IP詳解 卷一：協議》，以太網封裝三種標準的協議類型：IP協議、ARP協議和RARP協議。14字節的以太網首部包括了6字節的目的地址，6字節的源地址和2字節的類型字段，IP的類型值為0x0800,ARP的類型值為0x0806,RARP的類型值為0x8035。通過檢查類型字段來區別接收到的數據是屬于哪一種協議，函數實現代碼如下
void filter(cp, pktlen)
register char *cp;
register u_int pktlen;
{
register struct ip     *ip;
register struct tcphdr *tcph;
register struct ether_header *eth;
char *head=cp;
static long line_count=0;//計數器，用來記錄接收的數據次數

u_short EtherType=ntohs(((struct ether_header *)cp)->ether_type);
  //如果EtherType小于0x600說明這是一個符合802.3標準的數據格式，應當對數據作出調整
  if(EtherType < 0x600) {
    EtherType = *(u_short *)(cp + SZETH + 6);
    cp+=8; pktlen-=8;
  }
  eth=(struct ether_header*)cp;
  fprintf(LOG,"%-5d",++line_count);
  if(EtherType == ETHERTYPE_IP) //檢查協議類型是否IP協議
  {
  ip=(struct ip *)(cp+SZETH);//調整指針的位置，SZETH是以太網首部長度
  Mac_info(e->ether_shost);//Mac_info函數打印出物理地址
  fprintf(LOG,"(");
  Ip_info(&ip->ip_src);//Ip_info函數打印出IP地址
  fprintf(LOG,")");
  fprintf(LOG,"--->");
  Mac_info(e->ether_dhost);
  fprintf(LOG,"(");
  Ip_info(&ip->ip_dst);
  fprintf(LOG,")");
  fprintf(LOG,"\n");
  }
  else if(EtherType == ARP_PROTO)//如果協議類型是ARP
  {
     cp+=SZETH;
     struct ether_arp *arp=(struct ether_arp *)cp;
     switch(ntohs(arp->ea_hdr.ar_op))//檢查arp的操作
     {
       case ARPOP_REQUEST:   //如果是arp請求
           fprintf(LOG,"arp request:who has ");
           arp_ip_info(arp->arp_tpa);  //打印arp報文信息中的地址
           fprintf(LOG," tells ");
           arp_ip_info(arp->arp_spa);
           fprintf(LOG,"\n");
           break;
       case ARPOP_REPLY:     //arp應答
           fprintf(LOG,"arp reply: ");
           arp_ip_info(arp->arp_spa);
           fprintf(LOG," is at  ");
           Mac_info((struct ether_addr*)&arp->arp_sha);
           fprintf(LOG,"\n");
           break;
      }        
      //可以在這里添加代碼打印出arp數據報的具體內容
   }
}
程序的具體實現代碼如下：
/*  程序sniffer.c的代碼清單 */
#include <sys/stream.h>
#include <sys/dlpi.h>
#include <sys/bufmod.h>

#include <stdio.h>
#include <ctype.h>
#include <string.h>

#include <sys/time.h>
#include <sys/file.h>
#include <sys/stropts.h>
#include <sys/signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>

#include <net/if.h>
#include <net/if_arp.h>

#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netinet/ip_var.h>
#include <netinet/udp_var.h>
#include <netinet/in_systm.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>

#include <netdb.h>
#include <arpa/inet.h>

#define MAXDLBUF 32768
#define MAXWAIT 15
#define MAXDLADDR 1024
#define         BITSPERBYTE        8

#define bcopy(s1, s2, len) memcpy(s2, s1, len)
#define index(s, c) strchr(s, c)
#define rindex(s, c) strrchr(s, c)

#define bcmp(s1, s2, len) (memcmp(s1, s2, len)!=0)

#define ERR stderr

char    *device,
       *ProgName,
       *LogName;
FILE    *LOG;
int     debug=0;
long databuf[MAXDLBUF];
int sap=0;
#define NIT_DEV     "/dev/bge"
#define CHUNKSIZE   4096      
int     if_fd = -1;
int     Packet[CHUNKSIZE+32];

int promisc = 1;
int bufmod = 0;
int filter_flags=0;

int maxbuflen=128;

void Pexit(err,msg)
int err; char *msg;
{ perror(msg);
 exit(err); }

void Zexit(err,msg)
int err; char *msg;
{ fprintf(ERR,msg);
 exit(err); }
#define ARP_PROTO   (0x0806)
#define IP          ((struct ip *)Packet)
#define IP_OFFSET   (0x1FFF)
#define SZETH       (sizeof(struct ether_header))
#define ARPLEN      (sizeof(struct ether_arp))
#define MACLEN      (6)
#define IPALEN      (4)
#define IPLEN       (ntohs(ip->ip_len))
#define IPHLEN      (ip->ip_hl)
#define INET_ADDRSTRLEN 16

#define MAXBUFLEN  (8192)
time_t  LastTIME = 0;

char *Ptm(t)
register time_t *t;
{ register char *p = ctime(t);
 p[strlen(p)-6]=0;
 return(p);
}

char *NOWtm()
{ time_t tm;
 time(&tm);
 return( Ptm(&tm) );
}

void print_data(uchar_t *buf,int size)
{
int i=0;
char *p=buf;
for(;i<size;i++){
if(i%16 == 0) fprintf(LOG,"\n");
if(i%2 == 0) fprintf(LOG," ");
fprintf(LOG,"%02x",*p++&0x00ff);
}
fprintf(LOG,"\n");
}
//打印物理地址
void Mac_info(struct ether_addr*mac)
{
  fprintf(LOG,"%02x:%02x:%02x:%02x:%02x:%02x",
          mac->ether_addr_octet[0],
          mac->ether_addr_octet[1],
          mac->ether_addr_octet[2],  
          mac->ether_addr_octet[3],  
          mac->ether_addr_octet[4],
          mac->ether_addr_octet[5]);
}
//打印ip地址char buf[MAXDLBUF];
 
void Ip_info(struct in_addr *ip)
{
  char str[INET_ADDRSTRLEN];
  inet_ntop(AF_INET,ip,str,sizeof(str));
  if(*str)
  fprintf(LOG,"%s",str);
 
}
//打印ip地址的另外一個版本
void arp_ip_info(uchar_t pa[])
{
   fprintf(LOG,"%d.%d.%d.%d",pa[0],pa[1],pa[2],pa[3]);
}

void death()
{ register struct CREC *CLe;

   
   fprintf(LOG,"\nLog ended at => %s\n",NOWtm());
   fflush(LOG);
   if(LOG != stdout)
       fclose(LOG);
   exit(1);
}

err(fmt, a1, a2, a3, a4)
char *fmt;
char *a1, *a2, *a3, *a4;
{
(void) fprintf(stderr, fmt, a1, a2, a3, a4);
(void) fprintf(stderr, "\n");
(void) exit(1);
}

void
sigalrm()
{
(void) err("sigalrm:  TIMEOUT");
}

strgetmsg(fd, ctlp, datap, flagsp, caller)
int fd;
struct strbuf *ctlp, *datap;
int *flagsp;
char *caller;
{
int rc;
static char errmsg[80];

(void) signal(SIGALRM, sigalrm);
if (alarm(MAXWAIT) < 0) {
(void) sprintf(errmsg, "%s:  alarm", caller);
syserr(errmsg);
}

*flagsp = 0;
if ((rc = getmsg(fd, ctlp, datap, flagsp)) < 0) {
(void) sprintf(errmsg, "%s:  getmsg", caller);
syserr(errmsg);
}

if (alarm(0) < 0) {
(void) sprintf(errmsg, "%s:  alarm", caller);
syserr(errmsg);
}

if ((rc & (MORECTL | MOREDATA)) == (MORECTL | MOREDATA))
err("%s:  MORECTL|MOREDATA", caller);
if (rc & MORECTL)
err("%s:  MORECTL", caller);
if (rc & MOREDATA)
err("%s:  MOREDATA", caller);

if (ctlp->len < sizeof (long))
err("getmsg:  control portion length < sizeof (long):  %d", ctlp->len);
}

expecting(prim, dlp)
int prim;
union DL_primitives *dlp;
{
if (dlp->dl_primitive != (u_long)prim) {
err("unexpected dlprim error\n");
exit(1);
}
}
strioctl(fd, cmd, timout, len, dp)
int fd;
int cmd;
int timout;
int len;
char *dp;
{
struct strioctl sioc;
int rc;

sioc.ic_cmd = cmd;
sioc.ic_timout = timout;
sioc.ic_len = len;
sioc.ic_dp = dp;
rc = ioctl(fd, I_STR, &sioc);

if (rc < 0)
return (rc);
else
return (sioc.ic_len);
}
dlattachreq(fd, ppa)
int fd;
u_long ppa;
{
dl_attach_req_t attach_req;
struct strbuf ctl;
int flags;

attach_req.dl_primitive = DL_ATTACH_REQ;
attach_req.dl_ppa = ppa;

ctl.maxlen = 0;
ctl.len = sizeof (attach_req);
ctl.buf = (char *) &attach_req;

flags = 0;

if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
syserr("dlattachreq:  putmsg");
}

dlokack(fd, bufp)
int fd;
char *bufp;
{
union DL_primitives *dlp;
struct strbuf ctl;
int flags;

ctl.maxlen = MAXDLBUF;
ctl.len = 0;
ctl.buf = bufp;

strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlokack");

dlp = (union DL_primitives *) ctl.buf;

expecting(DL_OK_ACK, dlp);

if (ctl.len < sizeof (dl_ok_ack_t))
err("dlokack:  response ctl.len too short:  %d", ctl.len);

if (flags != RS_HIPRI)
err("dlokack:  DL_OK_ACK was not M_PCPROTO");

if (ctl.len < sizeof (dl_ok_ack_t))
err("dlokack:  short response ctl.len:  %d", ctl.len);
}

dlbindreq(fd, sap, max_conind, service_mode, conn_mgmt, xidtest)
int fd;
u_long sap;
u_long max_conind;
u_long service_mode;
u_long conn_mgmt;
u_long xidtest;
{
dl_bind_req_t bind_req;
struct strbuf ctl;
int flags;

bind_req.dl_primitive = DL_BIND_REQ;
bind_req.dl_sap = sap;
bind_req.dl_max_conind = max_conind;
bind_req.dl_service_mode = service_mode;
bind_req.dl_conn_mgmt = conn_mgmt;
bind_req.dl_xidtest_flg = xidtest;

ctl.maxlen = 0;
ctl.len = sizeof (bind_req);
ctl.buf = (char *) &bind_req;

flags = 0;

if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
syserr("dlbindreq:  putmsg");
}

dlbindack(fd, bufp)
int fd;
char *bufp;
{
union DL_primitives *dlp;
struct strbuf ctl;
int flags;

ctl.maxlen = MAXDLBUF;
ctl.len = 0;
ctl.buf = bufp;

strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlbindack");

dlp = (union DL_primitives *) ctl.buf;

expecting(DL_BIND_ACK, dlp);

if (flags != RS_HIPRI)
err("dlbindack:  DL_OK_ACK was not M_PCPROTO");

if (ctl.len < sizeof (dl_bind_ack_t))
err("dlbindack:  short response ctl.len:  %d", ctl.len);
}

dlpromisconreq(fd, level)
int fd;
u_long level;
{
dl_promiscon_req_t promiscon_req;
struct strbuf ctl;
int flags;

promiscon_req.dl_primitive = DL_PROMISCON_REQ;
promiscon_req.dl_level = level;

ctl.maxlen = 0;
ctl.len = sizeof (promiscon_req);
ctl.buf = (char *) &promiscon_req;

flags = 0;

if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
syserr("dlpromiscon:  putmsg");

}

syserr(s)
char *s;
{
(void) perror(s);
exit(1);
}

void filter(cp, pktlen)
register char *cp;
register u_int pktlen;
{
register struct ip     *ip;
register struct tcphdr *tcph;
register struct ether_header *eth;
char *head=cp;
static long line_count=0;

u_short EtherType=ntohs(((struct ether_header *)cp)->ether_type);
 
  if(EtherType < 0x600) {
    EtherType = *(u_short *)(cp + SZETH + 6);
    cp+=8; pktlen-=8;
  }
  eth=(struct ether_header*)cp;
  fprintf(LOG,"%-5d",++line_count);
  if(EtherType == ETHERTYPE_IP)
  {
  ip=(struct ip *)(cp+SZETH);
 

  Mac_info(e->ether_shost);
  fprintf(LOG,"(");
  Ip_info(&ip->ip_src);
 
  fprintf(LOG,")");
  fprintf(LOG,"--->");
  Mac_info(e->ether_dhost);
  fprintf(LOG,"(");
  Ip_info(&ip->ip_dst);
 
  fprintf(LOG,")");
  fprintf(LOG,"\n");
 
 
 
  }
  else if(EtherType == ARP_PROTO)
  {
     cp+=SZETH;
     struct ether_arp *arp=(struct ether_arp *)cp;
     switch(ntohs(arp->ea_hdr.ar_op))
     {
       case ARPOP_REQUEST:
           fprintf(LOG,"arp request:who has ");
           arp_ip_info(arp->arp_tpa);
           fprintf(LOG," tells ");
           arp_ip_info(arp->arp_spa);
           fprintf(LOG,"\n");
           break;
       case ARPOP_REPLY:
           fprintf(LOG,"arp reply: ");
           arp_ip_info(arp->arp_spa);
           fprintf(LOG," is at  ");
           Mac_info((struct ether_addr*)&arp->arp_sha);
           fprintf(LOG,"\n");
           break;
       
      }        
      //打印出arp數據報的內容
     
   }

}

do_it()
{
long buf[MAXDLBUF];
char *device;
int ppa;
int fd;

struct strbuf data;
int flags;
int i;
int c;
int offset;
int len;
struct timeval t;
u_int chunksize = 16 * 1024;
struct sb_hdr *bp;
char *p, *limp;

int mrwtmp;

device = "/dev/bge";
ppa = 0;
sap= 0x0806;

if ((fd = open(device, 2)) < 0)
syserr(device);

dlattachreq(fd, ppa);
dlokack(fd, buf);

if (promisc) {
dlpromisconreq(fd, DL_PROMISC_PHYS);          
dlokack(fd, buf);
}

dlbindreq(fd, sap, 0, DL_CLDLS, 0, 0);
dlbindack(fd, buf);
     

if (strioctl(fd, DLIOCRAW, -1, 0, NULL) < 0)
syserr("DLIOCRAW");

if (bufmod) {
if (ioctl(fd, I_PUSH, "bufmod") < 0)
syserr("push bufmod");

t.tv_sec = 0;
t.tv_usec = 500000;
if (strioctl(fd, SBIOCSTIME, -1, sizeof (struct timeval),
&t) < 0)
syserr("SBIOCSTIME");
if (strioctl(fd, SBIOCSCHUNK, -1, sizeof (u_int),
&chunksize) < 0)
syserr("SBIOCSCHUNK");
}

if (ioctl(fd, I_FLUSH, FLUSHR) < 0)
syserr("I_FLUSH");

       if(1){
data.buf = (char *) databuf;
data.maxlen = MAXDLBUF;
data.len = 0;

     
while (((mrwtmp=getmsg(fd, NULL, &data, &flags))==0) ||
(mrwtmp==MOREDATA) || (mrwtmp=MORECTL)) {
p = data.buf;
limp = p + data.len;
filter(data.buf, data.len);
data.len = 0;
}
printf("finished getmsg() = %i\n",mrwtmp);
            }
       
}

int main(argc, argv)
int argc;
char **argv;
{
   char   cbuf[BUFSIZ];
   struct ifconf ifc;
   int    s,
          ac=1,
          backg=0;

   ProgName=argv[0];

   device=NIT_DEV;
   while((ac<argc) && (argv[ac][0] == '-')) {
      register char ch = argv[ac++][1];
      switch(toupper(ch)) {
           case 'I': device=argv[ac++];
                     break;
           case 'O': if(!(LOG=fopen((LogName=argv[ac++]),"a")))
                        Zexit(1,"Output file cant be opened\n");
                     break;
           case 's':
                     sap=atoi(argv[ac++]);
                     break;
           default : fprintf(ERR,
                       "Usage: %s  [-s]  [-i interface] [-o file]\n",
                           ProgName);
fprintf(ERR," -d int    set new data limit (128 default)\n");
fprintf(ERR," -o <file> output to <file>\n");
                     exit(1);
      }
   }

   fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV);
   fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout",
           (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n");

   if(!LOG)
       LOG=stdout;

   signal(SIGINT, death);
   signal(SIGTERM,death);
   signal(SIGKILL,death);
   signal(SIGQUIT,death);

   if(backg && debug) {
        fprintf(ERR,"[Cannot bg with debug on]\n");
        backg=0;
   }

   fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid());
   fflush(LOG);

   do_it();
}

編譯運行：
#gcc -lsocket -lsnl -o sniffer sniffer.c
#./sniffer
同時在另一個終端上運行ping 192.168.1.10

Using logical device /dev/bge [/dev/bge]
Output to stdout.

Log started at => Tue Jul 12 18:13:44 [pid 948]
1    arp request:who has 192.168.1.22 tells 192.168.1.10
2    arp request:who has 192.168.1.22 tells 192.168.1.10
3    arp request:who has 192.168.1.22 tells 192.168.1.10
4    arp request:who has 192.168.1.22 tells 192.168.1.10
5    arp request:who has 192.168.1.22 tells 192.168.1.10