震惊! CAIDA的pcap文件不包含以太网包头

目录

 

对CAIDA流量文件的分析

分享一个能够自动识别pcap文件中是否包含以太网包头的解析程序

---

对CAIDA流量文件的分析

我在用libpcap分析从caida下载的流量文件equinix-nyc.dirA.20180419-125909.UTC.anon.pcap, 希望打印出其中的TCP数据包的流标识符. 我的分析程序如下:

 //解析.c
#include <pcap.h>
#include <net/ethernet.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <翻译包.h>


void packetHandler(u_char *userData, const struct pcap_pkthdr* pkthdr, const u_char* packet);

int main() {
	pcap_t *descr;
	char errbuf[PCAP_ERRBUF_SIZE];

	// open capture file for offline processing
	char 文件名[] = "/Users/zongyi/traces/caida/equinix-nyc.dirA.20180419-125909.UTC.anon.pcap";
	descr = pcap_open_offline(文件名, errbuf);
	if (descr == NULL) {
		printf("pcap_open_offline() failed: %s\n", errbuf);
		return 1;
	}

	// start packet processing loop, just like live capture
	_整数_ 数据包数 = 100; // 如果设为0, 则会遍历文件中的所有数据包
	if (pcap_loop(descr, 数据包数, packetHandler, NULL) < 0) {
		printf("pcap_loop() failed\n");
		return 1;
	}
	printf("capture finished\n");
	pcap_close(descr);
  return 0;
}

void packetHandler(u_char *userData, const struct pcap_pkthdr* pkthdr, const u_char* packet) {
	const struct ether_header* ethernetHeader;
	const struct ip* ipHeader;
	const struct tcphdr* tcpHeader;
	char sourceIp[INET_ADDRSTRLEN];
	char destIp[INET_ADDRSTRLEN];
	u_int sourcePort, destPort;
	u_char *data;
	int dataLength = 0;
	ethernetHeader = (struct ether_header*) packet;
	if (ntohs(ethernetHeader->ether_type) == ETHERTYPE_IP) {
		ipHeader = (struct ip*)(packet + sizeof(struct ether_header));
		inet_ntop(AF_INET, &(ipHeader->ip_src), sourceIp, INET_ADDRSTRLEN);
		inet_ntop(AF_INET, &(ipHeader->ip_dst), destIp, INET_ADDRSTRLEN);
		if (ipHeader->ip_p == IPPROTO_TCP) {
		tcpHeader = (struct tcphdr*)(packet + sizeof(struct ether_header) + sizeof(struct ip));
			_正整数_ 源地址 = ntohl(ipHeader->ip_src.s_addr);
			_正整数_ 目标地址 = ntohl(ipHeader->ip_dst.s_a