pcap文件解析
pcap文件解析
学了一点.pcap文件的东西,赶紧记录下
1、 .pcap文件本质
pcap文件本身就是一种二进制的文件格式,使用winhex或者Sublime打开pcap文件只能看到一堆数字,也就是pcap文件本身的样子。而使用wireshark打开的pcap包就不一样了,显示的是解析后的各层协议及内容, 很通俗,一看就明白(所以我也一直以为数据包就长这样。。。。)
一个pcap包的结构:文件头–数据包头1-数据包1-数据包头2-数据包2……
一个数据包只有一个文件头,多个数据包头(我的理解是有几条报文就有几个数据包头)
2、wireshark查看pcap文件格式
一般wireshark打开pcap文件
在wireshark中将pcap转换为文件格式:wireshark打开一个数据包–视图–重新载入文件格式/捕获 ,就可以看到转换后的数据包长什么样子。
文件头
文件头Header只有一个,包含7个字段,具体含义如下:
Magic(4B):标记文件开始,0xd4c3b2a1表示小端模式,下面的字节都要交换顺序;如果是0xa1b2c3d4表示是大端模式,按照原来的顺序一个字节一个字节的读,
Major(2B):当前文件的主要版本号,一般为0x0200
Minor(2B):当前文件的次要版本号,一般为0x0400
ThisZone(4B):当地的标准事件,如果用的是GMT则全零,一般全零
SigFigs(4B):时间戳的精度,一般为全零
SnapLen(4B):个人理解是 在捕获数据包时设置的所要抓获的数据包中每一个报文的最大长度,默认为262144
LinkType(4B):链路类型。一般的值为1,即以太网,还有别的网络类型模式,不常用就没列出来
数据包头Packet
数据包头可以有多个,每个数据包头后面都跟着真正的数据包。以下是Packet Header的4个字段含义
Timestamp(4B):时间戳高位,精确到seconds,这是Unix时间戳。捕获数据包的时间一般是根据这个值
Timestamp(4B):时间戳低位,能够精确到microseconds
Tncluded lenth(4B):当前数据区的长度,即抓取到的数据帧长度,这个值一般要小于snaplen。
Origin Length(4B):离线数据长度,网路中实际数据帧的长度,一般不大于Caplen,多数情况下和Caplen值一样
DATA 储存数据帧的内容
3、snaplen参数个人理解:
在捕获数据包时设置的所要抓获的数据包中每一个报文的最大长度,tcpdump -s 可以设置snaplen的大小,若-s 0 或者不设置,则默认262144字节
tcpdump官网定义:
--snapshot-length=snaplen
Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes. Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred.
Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. Note also that taking smaller snapshots will discard data from protocols above the transport layer, which loses information that may be important. NFS and AFS requests and replies, for example, are very large, and much of the detail won't be available if a too-short snapshot length is selected.
If you need to reduce the snapshot size below the default, you should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 262144, for backwards compatibility with recent older versions of tcpdump.
tcpdump源码:
/*
* Maximum snapshot length. This should be enough to capture the full
* packet on most network interfaces.
*
*
* Somewhat arbitrary, but chosen to be:
*
* 1) big enough for maximum-size Linux loopback packets (65549)
* and some USB packets captured with USBPcap:
*
* http://desowin.org/usbpcap/
*
* (> 131072, < 262144)
*
* and
*
* 2) small enough not to cause attempts to allocate huge amounts of
* memory; some applications might use the snapshot length in a
* savefile header to control the size of the buffer they allocate,
* so a size of, say, 2^31-1 might not work well.
*
* XXX - does it need to be bigger still?
*/
#define MAXIMUM_SNAPLEN 262144
/*
* The default snapshot length is the maximum.
*/
#define DEFAULT_SNAPLEN MAXIMUM_SNAPLEN
参考:
1、https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/netdissect.h
2、https://www.tcpdump.org/manpages/tcpdump.1.html
3、https://blog.csdn.net/lu_embedded/article/details/124952413
824
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
