原始的libnids是基于libpcap和libnet的,因此在安装的时候,必须要安装这两个模块才行,当然假如你是基于libnids来开发,不需要libnet,可以看下文档写的,disabled掉libnet,或者直接将libnids里的需要的源文件拔出来,供自己用
下面是原始官方的版本,libnids-1.24,libnet-1.19,libpcap-1.3.0,安装顺序和过程如下
依赖的版本有glib,gthread等,具体可以查看configure文件
cd libpcap-1.3.0 ./configure && make make install cd libnet-1.19 ./configure && make make install cd libnids-1.24 ./configure && make make install
在这个过程中,可能会出现的问题有:
1:刚在VMware Player里安装的CentOS7.0,安装版本是development版本+gnome桌面,在此过程中gthread的模块貌似缺少了,但是glib的确是安装了,具体如何解决未知
2:在另一个CentOS6.4上,安装没啥问题,但是通过载入libnids库文件之后,执行自己的可执行程序,会报错关于libnet的库出现问题,所以在安装libnet过程中时间比较长,一定要观察每个警告
最终在另一台CentOS6.4上安装无误,在libnids-1.24的文件夹中,带了几个例子,可以用来尝试下
[root@localhost ~]# cd libnids-1.24/samples/ [root@localhost samples]# make gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H overflows.c gcc -o overflows overflows.o -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H printall.c printall.c: In function ?.ain?. printall.c:117: warning: incompatible implicit declaration of built-in function ?.xit? gcc -o printall printall.o -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H sniff.c sniff.c: In function ?.dres?. sniff.c:24: warning: incompatible implicit declaration of built-in function ?.trcpy? sniff.c:25: warning: incompatible implicit declaration of built-in function ?.trlen? sniff.c:26: warning: incompatible implicit declaration of built-in function ?.trcat? sniff.c: In function ?.o_log?. sniff.c:35: warning: incompatible implicit declaration of built-in function ?.trlen? sniff.c: In function ?.ain?. sniff.c:83: warning: incompatible implicit declaration of built-in function ?.xit? sniff.c:88: warning: incompatible implicit declaration of built-in function ?.xit? gcc -o sniff sniff.o -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl
这里由于字体安装有问题,有很多字母变成了问号,但是答题意思基本能看懂,基本都是字符串操作以及exit没有包含应有的头文件,如此以其中一个为例,比如sniff.c,添加两个头文件,编译
#include <stdlib.h> #include <string.h>
然后再make,顺便看下所有依赖的库文件
[root@localhost samples]# make clean rm -f *.o *~ overflows printall sniff [root@localhost samples]# make gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H overflows.c gcc -o overflows overflows.o -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H printall.c gcc -o printall printall.o -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H sniff.c gcc -o sniff sniff.o -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl
下面是个自带的小例子,添加两行头文件之后
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "nids.h"
#define int_ntoa(x) inet_ntoa(*((struct in_addr *)&x))
// struct tuple4 contains addresses and port numbers of the TCP connections
// the following auxiliary function produces a string looking like
// 10.0.0.1,1024,10.0.0.2,23
char *
adres (struct tuple4 addr)
{
static char buf[256];
strcpy (buf, int_ntoa (addr.saddr));
sprintf (buf + strlen (buf), ",%i,", addr.source);
strcat (buf, int_ntoa (addr.daddr));
sprintf (buf + strlen (buf), ",%i", addr.dest);
return buf;
}
void
tcp_callback (struct tcp_stream *a_tcp, void ** this_time_not_needed)
{
char buf[1024];
strcpy (buf, adres (a_tcp->addr)); // we put conn params into buf
if (a_tcp->nids_state == NIDS_JUST_EST)
{
// connection described by a_tcp is established
// here we decide, if we wish to follow this stream
// sample condition: if (a_tcp->addr.dest!=23) return;
// in this simple app we follow each stream, so..
a_tcp->client.collect++; // we want data received by a client
a_tcp->server.collect++; // and by a server, too
a_tcp->server.collect_urg++; // we want urgent data received by a
// server
#ifdef WE_WANT_URGENT_DATA_RECEIVED_BY_A_CLIENT
a_tcp->client.collect_urg++; // if we don't increase this value,
// we won't be notified of urgent data
// arrival
#endif
fprintf (stderr, "%s established\n", buf);
return;
}
if (a_tcp->nids_state == NIDS_CLOSE)
{
// connection has been closed normally
fprintf (stderr, "%s closing\n", buf);
return;
}
if (a_tcp->nids_state == NIDS_RESET)
{
// connection has been closed by RST
fprintf (stderr, "%s reset\n", buf);
return;
}
if (a_tcp->nids_state == NIDS_DATA)
{
// new data has arrived; gotta determine in what direction
// and if it's urgent or not
struct half_stream *hlf;
if (a_tcp->server.count_new_urg)
{
// new byte of urgent data has arrived
strcat(buf,"(urgent->)");
buf[strlen(buf)+1]=0;
buf[strlen(buf)]=a_tcp->server.urgdata;
write(1,buf,strlen(buf));
return;
}
// We don't have to check if urgent data to client has arrived,
// because we haven't increased a_tcp->client.collect_urg variable.
// So, we have some normal data to take care of.
if (a_tcp->client.count_new)
{
// new data for client
hlf = &a_tcp->client; // from now on, we will deal with hlf var,
// which will point to client side of conn
strcat (buf, "(<-)"); // symbolic direction of data
}
else
{
hlf = &a_tcp->server; // analogical
strcat (buf, "(->)");
}
fprintf(stderr,"%s",buf); // we print the connection parameters
// (saddr, daddr, sport, dport) accompanied
// by data flow direction (-> or <-)
write(2,hlf->data,hlf->count_new); // we print the newly arrived data
}
return ;
}
int
main ()
{
// here we can alter libnids params, for instance:
// nids_params.n_hosts=256;
if (!nids_init ())
{
fprintf(stderr,"%s\n",nids_errbuf);
exit(1);
}
nids_register_tcp (tcp_callback);
nids_run ();
return 0;
}
可以看到注册函数里的回调函数tcp_callback,在tcp的各种状态nids_stat不同的情况下,进行不同的统计,比如在建立TCP连接时
strcpy (buf, adres (a_tcp->addr)); // we put conn params into buf
if (a_tcp->nids_state == NIDS_JUST_EST)
{
..................省略...................
fprintf (stderr, "%s established\n", buf);
会打印出buf里TCP的一些信息,当然TCP的其它状态的时候,肯定也一样会打印相关信息,下面就是执行结果
13.20.51.8,36145,21.45.4.7,22 established
13.20.51.8,36145,21.45.4.7,22(->)SSH-2.0-libssh-0.1
13.20.51.8,36145,21.45.4.7,22(->)./>?@n?S?9?diffie-hellman-group1-sha1ssh-rsa
aes128-cbc
aes128-cbc hmac-sha1 hmac-sha1nonenone13.20.51.8,36145,21.45.4.7,22(->)..^"@.-GはI.?>.??漭8..?"僵'战DZ??.
H`.?p.??喷?.v?/P甥?x.敫.傈?B.c-s?_>A?.?9 O??河13.20.51.8,36145,21.45.4.7,22(->)
乱码部分就无视吧,操作系统安装的时候字体不全导致
