Develop Reference

Parsing a keystroke record using input_event structure return strange key codes

Given:
A machine running Debian 10 and using the french keyboard mapping.
A dump of keystrokes correspoding to "azerty" obtained using:
sudo cat /dev/input/by-id/usb-Logitech_USB_Keyboard-event-kbd > test_keylogger_azerty
The following code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/types.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <xcb/xcb.h>
#include <xcb/xcb_keysyms.h>
#include <X11/Xlib.h>
#include <linux/input.h>
int main(int ac, char **av)
{
int fd, col;
xcb_connection_t *connection;
xcb_key_symbols_t *symbols;
struct input_event ev;
if (ac != 3) {
printf("Usage: %s <dump file> <symbol table index>\n", av[0]);
exit(EXIT_FAILURE);
}
connection = xcb_connect(NULL, NULL);
symbols = xcb_key_symbols_alloc(connection);
col = atoi(av[2]);
fd = open(av[1], O_RDONLY);
while (read(fd, (void *) &ev, sizeof(ev))) {
if (ev.type == EV_KEY && ev.value == 1)
printf("type: %x code: %x value: %2x => %s\n",
ev.type, ev.code, ev.value,
XKeysymToString(xcb_key_symbols_get_keysym(symbols, ev.code, col)));
}
printf("\n");
close(fd);
return(EXIT_SUCCESS);
}
A test run with xev tell me that: a == 24, b == 25 [...] y == 29.
Nevertheless, when i run my program, the obtained code don't match (and, as a result, the guessed corresponding symbol doesn't match too):
$ ./reverse_kl test_keylogger_azerty 0
type: 1 code: 10 value: 1 => egrave
type: 1 code: 11 value: 1 => underscore
type: 1 code: 12 value: 1 => ccedilla
type: 1 code: 13 value: 1 => agrave
type: 1 code: 14 value: 1 => parenright
type: 1 code: 15 value: 1 => equal
type: 1 code: 1c value: 1 => t
type: 1 code: 1d value: 1 => y
type: 1 code: 2e value: 1 => l
if i modify my code that way:
$ diff reverse_kl.c{.ref,}
33c33
< XKeysymToString(xcb_key_symbols_get_keysym(symbols, ev.code , col)));
---
> XKeysymToString(xcb_key_symbols_get_keysym(symbols, ev.code + 8 , col)));
It works better:
$ ./reverse_kl test_keylogger_azerty 0
type: 1 code: 10 value: 1 => a
type: 1 code: 11 value: 1 => z
type: 1 code: 12 value: 1 => e
type: 1 code: 13 value: 1 => r
type: 1 code: 14 value: 1 => t
type: 1 code: 15 value: 1 => y
type: 1 code: 1c value: 1 => Return
type: 1 code: 1d value: 1 => Control_L
type: 1 code: 2e value: 1 => c
Also, note that, for key 'a', i have the code 10 and adding 8 still don't give me 24 but it's working...
If anyone could help me understanding this strange behaviour ...
EDIT:
Added an hexadecimal dump of the trace as requested:
0000000 66 35 4d 5d 00 00 00 00 2b 7c 04 00 00 00 00 00
0000020 04 00 04 00 28 00 07 00 66 35 4d 5d 00 00 00 00
0000040 2b 7c 04 00 00 00 00 00 01 00 1c 00 00 00 00 00
0000060 66 35 4d 5d 00 00 00 00 2b 7c 04 00 00 00 00 00
0000100 00 00 00 00 00 00 00 00 66 35 4d 5d 00 00 00 00
0000120 a7 01 0e 00 00 00 00 00 04 00 04 00 14 00 07 00
0000140 66 35 4d 5d 00 00 00 00 a7 01 0e 00 00 00 00 00
0000160 01 00 10 00 01 00 00 00 66 35 4d 5d 00 00 00 00
0000200 a7 01 0e 00 00 00 00 00 00 00 00 00 00 00 00 00
0000220 67 35 4d 5d 00 00 00 00 22 11 01 00 00 00 00 00
0000240 04 00 04 00 14 00 07 00 67 35 4d 5d 00 00 00 00
0000260 22 11 01 00 00 00 00 00 01 00 10 00 00 00 00 00
0000300 67 35 4d 5d 00 00 00 00 22 11 01 00 00 00 00 00
0000320 00 00 00 00 00 00 00 00 67 35 4d 5d 00 00 00 00
0000340 fc fe 03 00 00 00 00 00 04 00 04 00 1a 00 07 00
0000360 67 35 4d 5d 00 00 00 00 fc fe 03 00 00 00 00 00
0000400 01 00 11 00 01 00 00 00 67 35 4d 5d 00 00 00 00
0000420 fc fe 03 00 00 00 00 00 00 00 00 00 00 00 00 00
0000440 67 35 4d 5d 00 00 00 00 ab 31 06 00 00 00 00 00
0000460 04 00 04 00 1a 00 07 00 67 35 4d 5d 00 00 00 00
0000500 ab 31 06 00 00 00 00 00 01 00 11 00 00 00 00 00
0000520 67 35 4d 5d 00 00 00 00 ab 31 06 00 00 00 00 00
0000540 00 00 00 00 00 00 00 00 67 35 4d 5d 00 00 00 00
0000560 1d e7 07 00 00 00 00 00 04 00 04 00 08 00 07 00
0000600 67 35 4d 5d 00 00 00 00 1d e7 07 00 00 00 00 00
0000620 01 00 12 00 01 00 00 00 67 35 4d 5d 00 00 00 00
0000640 1d e7 07 00 00 00 00 00 00 00 00 00 00 00 00 00
0000660 67 35 4d 5d 00 00 00 00 23 58 0a 00 00 00 00 00
0000700 04 00 04 00 08 00 07 00 67 35 4d 5d 00 00 00 00
0000720 23 58 0a 00 00 00 00 00 01 00 12 00 00 00 00 00
0000740 67 35 4d 5d 00 00 00 00 23 58 0a 00 00 00 00 00
0000760 00 00 00 00 00 00 00 00 67 35 4d 5d 00 00 00 00
As a reminder, below is the format of the input_event structure:
struct input_event {
struct timeval time;
__u16 type;
__u16 code;
__s32 value;
};
And, other reminder, keyboard stroke obey the following rules:
type == EV_KEY == 0x01
value may be 0 for event "key released", 1 for "key pressed" and 2 is for "auto-repeat".

Finding the value of pointers in memory C

Given the dataset below and the answer shown at the bottom (b36d5c), how does one compute this value for &ptr[3]. I'm just having trouble figuring out which area of the dataset it is referring to and how you add the size to that, but I know that the answer is correct.
sizeof(int) = 4
Data set starting at 0xb36d00 of size 128.
0xb36d00: 48 6d b3 00 00 00 00 00 4c 6d b3 00 00 00 00 00 Hm......Lm......
0xb36d10: 50 6d b3 00 00 00 00 00 30 6d b3 00 00 00 00 00 Pm......0m......
0xb36d20: 04 6d b3 00 00 00 00 00 50 6d b3 00 00 00 00 00 .m......Pm......
0xb36d30: 18 6d b3 00 00 00 00 00 1c 6d b3 00 00 00 00 00 .m.......m......
0xb36d40: 48 6d b3 00 00 00 00 00 58 6d b3 00 00 00 00 00 Hm......Xm......
0xb36d50: 44 6d b3 00 00 00 00 00 4c 6d b3 00 00 00 00 00 Dm......Lm......
0xb36d60: 00 6d b3 00 00 00 00 00 0c 6d b3 00 00 00 00 00 .m.......m......
0xb36d70: 68 6d b3 00 00 00 00 00 30 6d b3 00 00 00 00 00 hm......0m......
int array[] is stored at: 0xb36d00
int *ptr is stored at: 0xb36d28
short *shortPtr is stored at: 0xb36d28
int x is stored at: 0xb36d38
short y is stored at: 0xb36d14
int ***what is defined by: (int ***)(((int **)0xb36d0c) + 2)
What is the value of &ptr[3]?
b36d5c

int *ptr is said to be stored at 0xb36d28. The memory at 0xb36d28 contains 0x00b36d50 in little-endian order (and it contains that value regardless of whether pointers are four-bytes or eight, as the next four bytes are zero). Thus, ptr is 0xb36d50. If pointers are four bytes, then the address of ptr[3] is 3•4 bytes beyond 0xb36d50, so it is 0xb36d5c. (Since this fits the known answer, we conclude pointers are four bytes, not eight.)

How to read binary executable by instructions?

is there a way to read given amount of instructions from a binary executable file on x86 architecture programmatically?
If I had a binary of a simple C program hello.c:
#include <stdio.h>
int main(){
printf("Hello world\n");
return 0;
}
Where after compilation using gcc, the disassembled function main looks like this:
000000000000063a <main>:
63a: 55 push %rbp
63b: 48 89 e5 mov %rsp,%rbp
63e: 48 8d 3d 9f 00 00 00 lea 0x9f(%rip),%rdi # 6e4 <_IO_stdin_used+0x4>
645: e8 c6 fe ff ff callq 510 <puts#plt>
64a: b8 00 00 00 00 mov $0x0,%eax
64f: 5d pop %rbp
650: c3 retq
651: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
658: 00 00 00
65b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
Is there an easy way in C to read for example first three instructions (meaning the bytes 55, 48, 89, e5, 48, 8d, 3d, 9f, 00, 00, 00) from main? It is not guaranteed that the function looks like this - the first instructions may have all different opcodes and sizes.

this prints the 10 first bytes of the main function by taking the address of the function and converting to a pointer of unsigned char, print in hex.
This small snippet doesn't count the instructions. For this you would need an instruction size table (not very difficult, just tedious unless you find the table already done, What is the size of each asm instruction?) to be able to predict the size of each instruction given the first byte.
(unless of course, the processor you're targetting has a fixed instruction size, which makes the problem trivial to solve)
Debuggers have to decode operands as well, but in some cases like step or trace, I suspect they have a table handy to compute the next breakpoint address.
#include <stdio.h>
int main(){
printf("Hello world\n");
const unsigned char *start = (const char *)&main;
int i;
for (i=0;i<10;i++)
{
printf("%x\n",start[i]);
}
return 0;
}
output:
Hello world
55
89
e5
83
e4
f0
83
ec
20
e8
seems to match the disassembly :)
00401630 <_main>:
401630: 55 push %ebp
401631: 89 e5 mov %esp,%ebp
401633: 83 e4 f0 and $0xfffffff0,%esp
401636: 83 ec 20 sub $0x20,%esp
401639: e8 a2 01 00 00 call 4017e0 <___main>

.globl _start
_start:
bl main
b .
.globl main
main:
add r1,#1
add r2,#1
add r3,#1
add r4,#1
b main
intentionally wrong architecture, architecture doesnt matter file format matters. built this into an elf file format, which is very popular, and is simply a file format which is what I understood your question to be, to read a file, not modify the binary to read the program runtime from memory.
it is very much popular and there are tools that do it which you appear to know how to run.
Disassembly of section .text:
00001000 <_start>:
1000: eb000000 bl 1008 <main>
1004: eafffffe b 1004 <_start+0x4>
00001008 <main>:
1008: e2811001 add r1, r1, #1
100c: e2822001 add r2, r2, #1
1010: e2833001 add r3, r3, #1
1014: e2844001 add r4, r4, #1
1018: eafffffa b 1008 <main>
if I hexdump the file though
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 28 00 01 00 00 00 00 10 00 00 34 00 00 00 |..(.........4...|
00000020 c0 11 00 00 00 02 00 05 34 00 20 00 01 00 28 00 |........4. ...(.|
00000030 06 00 05 00 01 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 1c 10 00 00 1c 10 00 00 05 00 00 00 |................|
00000050 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000 00 00 00 eb fe ff ff ea 01 10 81 e2 01 20 82 e2 |............. ..|
00001010 01 30 83 e2 01 40 84 e2 fa ff ff ea 41 11 00 00 |.0...#......A...|
00001020 00 61 65 61 62 69 00 01 07 00 00 00 08 01 00 00 |.aeabi..........|
00001030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001040 00 00 00 00 00 10 00 00 00 00 00 00 03 00 01 00 |................|
00001050 00 00 00 00 00 00 00 00 00 00 00 00 03 00 02 00 |................|
00001060 01 00 00 00 00 00 00 00 00 00 00 00 04 00 f1 ff |................|
00001070 06 00 00 00 00 10 00 00 00 00 00 00 00 00 01 00 |................|
00001080 18 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
00001090 09 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
000010a0 17 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
000010b0 55 00 00 00 00 10 00 00 00 00 00 00 10 00 01 00 |U...............|
000010c0 23 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |#...............|
000010d0 2f 00 00 00 08 10 00 00 00 00 00 00 10 00 01 00 |/...............|
000010e0 34 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |4...............|
000010f0 3c 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |<...............|
00001100 43 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |C...............|
00001110 48 00 00 00 00 00 08 00 00 00 00 00 10 00 01 00 |H...............|
00001120 4f 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |O...............|
00001130 00 73 6f 2e 6f 00 24 61 00 5f 5f 62 73 73 5f 73 |.so.o.$a.__bss_s|
00001140 74 61 72 74 5f 5f 00 5f 5f 62 73 73 5f 65 6e 64 |tart__.__bss_end|
00001150 5f 5f 00 5f 5f 62 73 73 5f 73 74 61 72 74 00 6d |__.__bss_start.m|
00001160 61 69 6e 00 5f 5f 65 6e 64 5f 5f 00 5f 65 64 61 |ain.__end__._eda|
00001170 74 61 00 5f 65 6e 64 00 5f 73 74 61 63 6b 00 5f |ta._end._stack._|
00001180 5f 64 61 74 61 5f 73 74 61 72 74 00 00 2e 73 79 |_data_start...sy|
00001190 6d 74 61 62 00 2e 73 74 72 74 61 62 00 2e 73 68 |mtab..strtab..sh|
000011a0 73 74 72 74 61 62 00 2e 74 65 78 74 00 2e 41 52 |strtab..text..AR|
000011b0 4d 2e 61 74 74 72 69 62 75 74 65 73 00 00 00 00 |M.attributes....|
000011c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000011e0 00 00 00 00 00 00 00 00 1b 00 00 00 01 00 00 00 |................|
000011f0 06 00 00 00 00 10 00 00 00 10 00 00 1c 00 00 00 |................|
00001200 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |................|
00001210 21 00 00 00 03 00 00 70 00 00 00 00 00 00 00 00 |!......p........|
00001220 1c 10 00 00 12 00 00 00 00 00 00 00 00 00 00 00 |................|
00001230 01 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 |................|
00001240 00 00 00 00 00 00 00 00 30 10 00 00 00 01 00 00 |........0.......|
00001250 04 00 00 00 05 00 00 00 04 00 00 00 10 00 00 00 |................|
00001260 09 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 |................|
00001270 30 11 00 00 5c 00 00 00 00 00 00 00 00 00 00 00 |0...\...........|
00001280 01 00 00 00 00 00 00 00 11 00 00 00 03 00 00 00 |................|
00001290 00 00 00 00 00 00 00 00 8c 11 00 00 31 00 00 00 |............1...|
000012a0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
000012b0
can google the file format and find a lot of info at wikipedia, with a smidge more at one of the links
useful header information
00 10 00 00 entrh
34 00 00 00 phoff
c0 11 00 00 shoff
00 02 00 05 flags
34 00 ehsize
20 00 phentsize
01 00 phnum
28 00 shentsize
06 00 shnum
05 00shstrndx
so if I look at the beginning of the sections there are shnum number of them
0x11C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x11E8 1b 00 00 00 01 00 00 00 06 00 00 00 00 10 00 00 00 10 00 00
0x1210 21 00 00 00 03 00 00 70 00 00 00 00 00 00 00 00 1c 10 00 00
0x1238 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 30 10 00 00
0x1260 09 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 30 11 00 00
0x1288 11 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 8c 11 00 00
0x1260 strtab type offset 0x1130 which is broken into null terminated strings until you hit a double null
[0] 00
[1] 73 6f 2e 6f 00 so.o
[2] 24 61 00 $a
[3] 5f 5f 62 73 73 5f 73 74 61 72 74 5f 5f 00 __bss_start__
[4] 5f 5f 62 73 73 5f 65 6e 64 5f 5f 00 __bss_end__
[5] 5f 5f 62 73 73 5f 73 74 61 72 74 00 __bss_start
[6] 6d 61 69 6e 00 main
...
main is at address 0x115F in the file which is offset 0x2F in the
strtab.
0x1238 symtab starts at 0x1030, 0x10 or 16 bytes per entry
00001030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001040 00 00 00 00 00 10 00 00 00 00 00 00 03 00 01 00 |................|
00001050 00 00 00 00 00 00 00 00 00 00 00 00 03 00 02 00 |................|
00001060 01 00 00 00 00 00 00 00 00 00 00 00 04 00 f1 ff |................|
00001070 06 00 00 00 00 10 00 00 00 00 00 00 00 00 01 00 |................|
00001080 18 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
00001090 09 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
000010a0 17 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |................|
000010b0 55 00 00 00 00 10 00 00 00 00 00 00 10 00 01 00 |U...............|
000010c0 23 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |#...............|
000010d0 2f 00 00 00 08 10 00 00 00 00 00 00 10 00 01 00 |/...............|
000010e0 34 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |4...............|
000010f0 3c 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |<...............|
00001100 43 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |C...............|
00001110 48 00 00 00 00 00 08 00 00 00 00 00 10 00 01 00 |H...............|
00001120 4f 00 00 00 1c 10 01 00 00 00 00 00 10 00 01 00 |O...............|
000010d0 2f 00 00 00 has the 0x2f offset in the symbol table
so this is main, from this entry the address 08 10 00 00 or 0x1008 in
the processors memory, unfortunately due to the values I chose it happens to also be the file offset, dont get that confused.
this section is type 00000001 PROGBITS
0x11E8 1b 00 00 00 01 00 00 00 06 00 00 00 00 10 00 00 00 10 00 00
offset 0x1000 in the file 0x1C bytes
here is the program, the machine code.
00001000 00 00 00 eb fe ff ff ea 01 10 81 e2 01 20 82 e2
00001010 01 30 83 e2 01 40 84 e2 fa ff ff ea 41 11
so starting at memory offset 0x1008 which is 8 bytes after the
entry point (unfortunately I picked a bad address to use) we need to
go 0x8 bytes offset into this data
01 10 81 e2 01 20 82 e2
00001008 <main>:
1008: e2811001 add r1, r1, #1
100c: e2822001 add r2, r2, #1
1010: e2833001 add r3, r3, #1
this is all very file dependent, the cpu could care less about labels, main only means something to the humans, not the cpu.
If I convert the elf into other formats which are perfectly executable:
motorola s record:
S00A0000736F2E7372656338
S1131000000000EBFEFFFFEA011081E2012082E212
S10F1010013083E2014084E2FAFFFFEAB1
S9031000EC
raw binary image
hexdump -C so.bin
00000000 00 00 00 eb fe ff ff ea 01 10 81 e2 01 20 82 e2 |............. ..|
00000010 01 30 83 e2 01 40 84 e2 fa ff ff ea |.0...#......|
0000001c
The instruction bytes of interest are of course there, but the symbol information isnt. It depends on the file format you are interested in as to 1) if you can find "main" and then 2) print out the first few bytes at that address.
Hmm, a bit disturbing, but if you link for 0x2000 gnu ld burns some disk space and puts the offset at 0x2000, but choose 0x20000000 and it burns more disk space but not as much
000100d0 2f 00 00 00 08 00 00 20 00 00 00 00 10 00 01 00
shows the file offset is 0x010010 but the address in target space is 0x20000008
00010010 01 30 83 e2 01 40 84 e2 fa ff ff ea 41 11 00 00
00010020 00 61 65 61 62 69 00 01 07 00 00 00 08 01
just to demonstrate/enforce the file offset and the target memory space address are two different things.
this is a very nice format for what you are wanting to do
arm-none-eabi-objcopy -O symbolsrec so.elf so.srec
cat so.srec
$$ so.srec
$a $20000000
_bss_end__ $2001001c
__bss_start__ $2001001c
__bss_end__ $2001001c
_start $20000000
__bss_start $2001001c
main $20000008
__end__ $2001001c
_edata $2001001c
_end $2001001c
_stack $80000
__data_start $2001001c
$$
S0090000736F2E686578A1
S31520000000000000EBFEFFFFEA011081E2012082E200
S31120000010013083E2014084E2FAFFFFEA9F
S70520000000DA

Pulling individual integer value from hexadecimal value

Here is my hex code:
42 4D C6 00 00 00 00 00 00 00 76 00 00 00 28 00
00 00 0A 00 00 00 0A 00 00 00 01 00 04 00 00 00
00 00 50 00 00 00 12 0B 00 00 12 0B 00 00 10 00
00 00 10 00 00 00 FF 00 00 00 00 FF 00 00 00 00
42 00 5A 5A 84 00 00 00 FF 00 FF 00 FF 00 00 FF
FF 00 08 FF FF 00 5A FF FF 00 FF FF FF 00 FF FF
FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF
FF 00 FF FF FF 00 92 59 00 16 47 00 00 00 25 90
01 64 61 00 00 00 59 90 11 64 61 00 00 00 99 00
16 48 11 00 00 00 90 01 64 61 11 00 00 00 00 16
64 61 00 00 00 00 01 16 46 10 09 00 00 00 11 64
41 00 99 00 00 00 16 64 11 09 95 00 00 00 66 48
10 09 53 00 00 00
I know that the pixel "assignment" starts with the first line being (10 pixels wide):
92 59 00 16 47 00 00 00
I need to count how many times each colour is in the image, but I am unable to pull the individual integer value (ie: just the 9, then just the 2, then just the 5, and so on). The only value I am able to pull is "92" then "59" then "00"...
This is my code for that segment (the offset is 118 and the total hex values remaining are 80):
int nbr_each[NBRCOLOURS];
int ch, pixel;
fseek(fptr, 118, SEEK_SET);
for (count = 0; count < 81; count++)
{
pixel = fgetc(fptr);
nbr_each[pixel] = nbr_each[pixel] + 1;
}

fgetc will get you the individual characters.
first = fgetc(fptr); // '9'
second = fgetc(fptr); // '2'
space = fgetc(fptr); // ' '
Then convert each digit to a number 0..9 by subtracting off '0':
first -= '0';
second -= '0';
Then to count each digit, something like this:
nbr_each[first]++;
nbr_each[second]++;

how to save the captured packets in LibreOffice Calc instead of a txt file using c socket program?

My project is about capturing the packets in promiscuous mode in the client side and processing it (distinguishing between tcp,udp,icmp)in server side which is done using C socket code in ubuntu 13.04.
The Output is stored in a txt file as of now,but i want to save those packet fields in the cells in LibreOffice Calc, so that i can edit the cells in the sense choose only those packets which are needed.
I do not know whether its possible to do it? Can anybody please help me if its possible?and also how to do it?
My output txt file looks this way(only udp packet is shown here)
This Report is from the Task agent whose IP is 127.0.0.1
***********************UDP Packet*************************
Ethernet Header
|-Destination Address : 01-00-5E-00-00-02
|-Source Address : 00-00-0C-07-AC-3B
|-Protocol : 8
IP Header
|-IP Version : 4
|-IP Header Length : 5 DWORDS or 20 Bytes
|-Type Of Service : 192
|-IP Total Length : 48 Bytes(Size of Packet)
|-Identification : 0
|-TTL : 1
|-Protocol : 17
|-Checksum : 61927
|-Source IP : 172.16.59.3
|-Destination IP : 224.0.0.2
UDP Header
|-Source Port : 1985
|-Destination Port : 1985
|-UDP Length : 28
|-UDP Checksum : 42701
IP Header
01 00 5E 00 00 02 00 00 0C 07 AC 3B 08 00 45 C0 ..^........;..E.
00 30 00 00 .0..
UDP Header
00 00 01 11 F1 E7 AC 10 ........
Data Payload
00 00 10 03 0A 6E 3B 00 63 69 73 63 6F 00 00 00 .....n;.cisco...
AC 10 3B 01 00 00 00 00 00 00 00 00 00 00 00 00 ..;.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 ......
###########################################################
I need to save all these fields in the cells(rows). How can i do it??
edited part
This is how i process the packet in the server side
FILE *logfile;
int infile;
struct sockaddr_in source,dest;
int tcp=0,udp=0,icmp=0,others=0,igmp=0,total=0,i,j;
int main()
{
int saddr_size,data_size;
struct sockaddr saddr;
unsigned char *buffer3 = (unsigned char *) malloc(1024);
char *fname = "/home/shishira/Desktop/packet_capture/task_agent_processed.txt";
infile=open("info_agent_report.txt",O_RDONLY);
if(infile==-1)
{
perror("cannot open info_agent_report file\n");
return(1);
}
logfile=fopen("task_agent_processed.txt","w");
if(logfile==NULL)
{
printf("Unable to create task_agent_processed file.");
}
printf("\n Starting..\n");
saddr_size = sizeof saddr;
do
{
data_size=read(infile,buffer3,1024);
ProcessPacket(buffer3 , data_size);
}
while(data_size>0);
fclose(logfile);
close(infile);
printf("\n");
printf(" Finished\n\n");
printf("-------------------\n\n");
return 0;
}
void ProcessPacket(unsigned char* buffer, int size)
{
//Get the IP Header part of this packet , excluding the ethernet header
struct iphdr *iph = (struct iphdr*)(buffer + sizeof(struct ethhdr));
++total;
switch (iph->protocol) //Check the Protocol and do accordingly...
{
case 1: //ICMP Protocol
++icmp;
print_icmp_packet( buffer , size);
break;
case 2: //IGMP Protocol
++igmp;
break;
case 6: //TCP Protocol
++tcp;
print_tcp_packet(buffer , size);
break;
case 17: //UDP Protocol
++udp;
print_udp_packet(buffer , size);
break;
default: //Some Other Protocol like ARP etc.
++others;
break;
}
printf(" TCP : %d UDP : %d ICMP : %d Others : %d Total : %d\r", tcp ,
udp , icmp , others , total);
}
void print_udp_packet(unsigned char *Buffer , int Size)
{
unsigned short iphdrlen;
struct iphdr *iph = (struct iphdr *)(Buffer + sizeof(struct ethhdr));
iphdrlen = iph->ihl*4;
struct udphdr *udph = (struct udphdr*)(Buffer + iphdrlen + sizeof(struct ethhdr));
int header_size = sizeof(struct ethhdr) + iphdrlen + sizeof udph;
fprintf(logfile , "\n\n***********************UDP Packet*************************\n");
print_ip_header(Buffer,Size);
fprintf(logfile , "\nUDP Header\n");
fprintf(logfile , " |-Source Port : %d\n" , ntohs(udph->source));
fprintf(logfile , " |-Destination Port : %d\n" , ntohs(udph->dest));
fprintf(logfile , " |-UDP Length : %d\n" , ntohs(udph->len));
fprintf(logfile , " |-UDP Checksum : %d\n" , ntohs(udph->check));
fprintf(logfile , "\n");
fprintf(logfile , "IP Header\n");
PrintData(Buffer , iphdrlen);
fprintf(logfile , "UDP Header\n");
PrintData(Buffer+iphdrlen , sizeof udph);
fprintf(logfile , "Data Payload\n");
//Move the pointer ahead and reduce the size of string
PrintData(Buffer + header_size , Size - header_size);
fprintf(logfile , "\n###########################################################");
}
}
}
I have just included udp packet here. Here in fprintf statement i am using to print all the packets in the file whose filehandler is "logfile". the output which i get looks in this way

For instance, if you need to put the whole this report to one excel cell then you can put " in the beginning and " in the end of this output. Then you can save it as *.csv file and open it with Excel, LibreOffice.Calc etc. So in this case (" in the beginning and in the end) you will get all this output in the first cell:
If you need different spreading of the data between cells - use commas and "":
"first row, first cell", "first row, second cell",...
"second row, first cell", "second row, second cell",...
...
For example:
user#host $ cat new1.csv
"first row, first cell", "first row, second cell"
"second row, first cell", "second row, second cell"
Then it can be opened in LibreOffice.Calc and result will be the following:
Update: for spreading output data from the question to different cells:
I put a couple of , and " into original report from the question:
"This Report is from the Task agent whose IP is 127.0.0.1
***********************UDP Packet*************************"
"
Ethernet Header
|-Destination Address : 01-00-5E-00-00-02
|-Source Address : 00-00-0C-07-AC-3B
|-Protocol : 8
","
IP Header
|-IP Version : 4
|-IP Header Length : 5 DWORDS or 20 Bytes
|-Type Of Service : 192
|-IP Total Length : 48 Bytes(Size of Packet)
|-Identification : 0
|-TTL : 1
|-Protocol : 17
|-Checksum : 61927
|-Source IP : 172.16.59.3
|-Destination IP : 224.0.0.2
","
UDP Header
|-Source Port : 1985
|-Destination Port : 1985
|-UDP Length : 28
|-UDP Checksum : 42701
","
IP Header
01 00 5E 00 00 02 00 00 0C 07 AC 3B 08 00 45 C0 ..^........;..E.
00 30 00 00 .0..
UDP Header
00 00 01 11 F1 E7 AC 10 ........
Data Payload
00 00 10 03 0A 6E 3B 00 63 69 73 63 6F 00 00 00 .....n;.cisco...
AC 10 3B 01 00 00 00 00 00 00 00 00 00 00 00 00 ..;.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 ......
###########################################################"
It results in the following spreading through the excel cells: