CAP文件格式
1、文件头
| 00000000h: 58 43 50 00 30 30 32 2E 30 30 32 00 98 5E 29 45 ; XCP.002.002 00000010h: F0 49 02 00 2D 37 3D 02 80 00 00 00 2D 37 3D 02 ; 00000020h: 00 00 00 00 00 00 00 00 2D 37 3D 02 00 00 00 00 ; 00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; 00000040h: 00 00 00 00 00 00 00 00 14 00 04 00 99 9E 36 00 ; 00000050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; 00000060h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; 00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; |
文件类型标识 00-02 3字节, 为XCP
版本号: 04-0A 7字节
开始抓包时间 0C-0F 4字节 time_t类型的值
与包数有关的值 10-13 4字节 代表意义不详
与包总长度有关的值 该值重复存储三次 代表意义不详
说明:文件头长128字节,数据域从128字节后开始。
2、数据段
| 00000080h: 18 2F 00 00 00 00 00 00 3C 00 3C 00 00 00 00 00 00000090h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000a0h: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF 00 40 000000b0h: 9E 00 6A FE 08 06 00 01 08 00 06 04 00 01 00 40 000000c0h: 9E 00 6A FE 0A 02 10 0F 00 00 00 00 00 00 0A 02 000000d0h: 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000e0h: 00 00 00 00 |
微秒数 4字节 从文件头的开始抓包时间开始的微秒数 1微秒=1/1,000,000秒
数据域的长度 2字节 连续重复两次
目的网卡物理地址 6字节
源网卡物理地址 6字节
INTERNET协议标识 2字节 0806为ARP协议, 0800为IP协议
数据域
说明:
·每个数据段分头和数据域部分,头长度固定为40字节
·数据域的长度表示的是从网卡目的物理地址开始到一个数据段的字节数
2596
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
