Linux 创建 pcap 文件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10113653/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Creating a pcap file
提问by Robert Kubrick
I need to save UDP packets to a file and would like to use the pcap format to reuse the various tools available (wireshark, tcpdump, ...). There are some information in this threadbut I can't find how to write the global file header 'struct pcap_file_header'.
我需要将 UDP 数据包保存到一个文件中,并希望使用 pcap 格式来重用各种可用的工具(wireshark、tcpdump 等)。该线程中有一些信息,但我找不到如何编写全局文件头“struct pcap_file_header”。
pcap_t* pd = pcap_open_dead(DLT_RAW, 65535);
pcap_dumper_t* pdumper = pcap_dump_open(pd, filename);
struct pcap_file_header file_hdr;
file_hdr.magic_number = 0xa1b2c3d4;
file_hdr.version_major = 2;
file_hdr.version_minor = 4;
file_hdr.thiszone = 0;
file_hdr.sigfigs = 0;
file_hdr.snaplen = 65535;
file_hdr.linktype = 1;
// How do I write file_hdr to m_pdumper?
while( (len = recvmsg(sd, &msg_hdr, 0)) > 0 )
pcap_dump((u_char*)m_pdumper, &m_pcap_pkthdr, (const u_char*)&data);
How should I write the global file header? If there is no specific pcap function available, how can I retrieve the file descriptor to insert the header using write()?
我应该如何编写全局文件头?如果没有可用的特定 pcap 函数,我如何检索文件描述符以使用 write() 插入标头?
采纳答案by je4d
You shouldn't need to write that header, pcap_open_deadshould do it for you. You only need to fill out and write that header yourself if you want to write the file directly instead of using pcap_dumpand friends. There's an example hereof a trivial program write out a pcap file with those functions.
你不应该需要写那个标题,pcap_open_dead应该为你做。如果您想直接编写文件而不是使用pcap_dump和朋友,则只需要自己填写并编写该标题。这里有一个简单程序的例子,它用这些函数写出一个 pcap 文件。
original answer, concerning writing the file directly:
原始答案,关于直接写入文件:
I can't remember exactly how this works, but I wrote a patch to redira while ago that would write out pcap files, you may be able to use it as an example.
我不记得它是如何工作的,但我redir前段时间写了一个补丁来写出 pcap 文件,你可以用它作为例子。
You can find it attached to this debian bug. (bug link fixed.)
你可以在这个 debian bug 中找到它。(错误链接已修复。)
Some of it is for faking the ethernet and IP headers, and may not be applicable as you're using pcap_dump_openand pcap_dumpwhere as the patch linked above writes out the pcapfile without using any libraries, but I'll leave this here anyway in case it helps.
其中一些用于伪造以太网和 IP 标头,可能不适用,因为您正在使用,pcap_dump_open并且pcap_dump上面链接的补丁在pcap不使用任何库的情况下写出文件,但无论如何我都会把它留在这里以防万一它有帮助.
回答by poukill
If you are interested in UDP and TCP only, you should use DLT_EN10MBinstead of DLT_RAW( cf pcap_open_dead to simulate full UDP packets capture).
如果你只对 UDP 和 TCP 感兴趣,你应该使用DLT_EN10MB而不是DLT_RAW(cf pcap_open_dead 来模拟完整的 UDP 数据包捕获)。
It is much better when editing in WireShak.
在 WireShak 中编辑会好得多。
