Linux cooked capture v1 层的处理
1、问题由来:
在Mal_DoH的数据集中发现一部分数据不能够经由pkt2flow 处理成流级数据文件,经由wireshark查看,遇到一层未知数据,导致pkt2flow程序运行出错,但是未提示报错就很离谱,这个工具还不是很完善,需要下一步改善。
2、问题分析
为何链路层名称为linux cooked capture?而不是Ethernet Ⅱ
因为包是在linux中使用tcpdump,且指定参数-i any来捕获设备上所有网卡上的包。它会把所有包的以太网头都换成linux cooked capture,wireshark对此解释为虚假的协议。
tcpdump抓包时,如果-i选项指定为一个网卡地址,那么抓取的数据包数据链路层是以太网头部;如果指定any,则以太网头部将被替换为linux cooked capture头部
这个问题及时发现,对于后续数据包处理很关键,对于字节偏移处理会变得不一样
3、问题解决
这时,若需要将linux cooked capture格式的包转换为Ethernet格式,有那么几种方法:
- 写代码读出每一个包后再改写到新文件(使用libpcap或者基于pcap头部结构体偏移);
- tcpdump 3.0+ 版本下,可以用tcprewrite直接改写,这应该是最快捷的方法;
Tcprewrite是一个改写pcap文件(tcpdump、and ethereal)报文的工具。修改后的报文可以用 tcpreplay(1)重新发送回去。
DLT Plugins
As of 3.0, tcprewrite uses plugins to support different DLT/Layer 2 types. This not only makes the
code easier to maintain, but also helps make things clearer for users regarding what is and isn't
supported. Each plugin may support reading and/or writing packets. By default, the plugin used to
read packets is also used for output, but you can override the output plugin using the --dlt option.
Changing the DLT plugin allows you to convert the packets from one DLT/Layer 2 type to another type.
This allows you for example to capture traffic on say an Ethernet interface and replay over Cisco
HDLC or capture on a BSD Loopback interface and replay over Ethernet.
Plugins supported in output mode:
Ethernet (enet)
Cisco HDLC (hdlc)
User defined Layer 2 (user)
Plugins supported in input mode:
Ethernet
Cisco HDLC
Linux SLL
BSD Loopback
BSD Null
Raw IP
802.11
Juniper Ethernet (version >= 4.0)
Hence, if you have a pcap in one of the supported input DLT types, you can convert it to one of the
supported output DLT type by using the --dlt=<output> option. Depending on the input DLT you may
need to provide additional DLT plugin flags.
tcprewrite转换命令如下:
首先读取这个pcap文件查看格式
# tcpdump -r dns2tcp_tunnel_1111_doh1_2020-03-31T21_54_32.055088.pcap | grep Linux
reading from file dns2tcp_tunnel_1111_doh1_2020-03-31T21_54_32.055088.pcap, link-type LINUX_SLL (Linux cooked)
# tcprewrite --dlt=enet --infile=dns2tcp_tunnel_1111_doh1_2020-03-31T21_54_32.055088.pcap --outfile=enet.pcap
# tcpdump -r enet.pcap | grep Eth
reading from file enet.pcap, link-type EN10MB (Ethernet)
打开enet.pcap查看,唯一有点问题的,是转换后的数据的Destination-Mac为空, 对这个字段有需求的要注意下:
使用pkt2flow进行分流操作,就可以顺利进行了
# ./pkt2flow/pkt2flow -o /root/ds/ /root/ds/enet.pcap
tcpwrite 和 tcpreplay还有很多使用途径,这里就不再展开,有空整理。
可以参考的网址:
https://wiki.wireshark.org/SLL
http://www.tcpdump.org/linktypes.html
http://tcpreplay.synfin.net/wiki/tcprewrite
其它:
# tips 删除vlan
# tcprewrite --enet-vlan=del --infile=enet.pcap --outfile=output.pcap
文章参考网址:https://blog.csdn.net/dnet30833/article/details/102043934?utm_medium=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-1.control&dist_request_id=&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-1.control