本文介绍了如何利用libpcap库中的pcap_open_offline()和pcap_fopen_offline()函数来读取离线的pcap文件。这些文件与tcpdump和tcpslice生成的文件格式相同。此外,还提到了pcap_loop()函数,用于从实时捕获或文件中处理一定数量的网络包,直到达到指定计数、文件结束、调用pcap_breakloop()或发生错误。
想法
- 打开离线文件pcap_open_offline()
pcap_t *pcap_open_offline(const char *fname, char *errbuf);
pcap_t *pcap_fopen_offline(FILE *fp, char *errbuf);is called to open a ”savefile” for reading.
fname specifies the name of the file to open. The file has the same format as those used by tcpdump(1) and tcpslice(1). The name “-” in a synonym for stdin.
Alternatively, you may call pcap_fopen_offline() to read dumped data from an existing open stream fp. Note that on Windows, that stream should be opened in binary mode.
- pcap_loop - process packets from a live capture or savefile
typedef 
最低0.47元/天 解锁文章
扫一扫
959
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
