抓包文件的格式说明
来源:互联网 发布:js中new dateformat 编辑:程序博客网 时间:2024/06/01 01:34
cThat's the file header. Many capture file formats have such a header.
The header of libpcap-format files (as used by tcpdump, Ethereal,
Analyzer, and a number of other programs) contains:
a 32-bit "magic number";
a 16-bit major version number;
a 16-bit minor version number;
an unused 32-bit time zone offset field;
an unused 32-bit time stamp accuracy field;
a 32-bit field giving the maximum length of the saved data in
packets;
a 32-bit field giving the link-layer type of the packets in the
capture.
All numbers are in the same byte order, which is typically the byte
order of the machine that wrote the capture file.
The magic number has the value hex A1B2C3D4. On a big-endian machine,
such as a SPARC machine, the four bytes of that number are A1, B2, C3,
and D4, in order. On a little-endian mchine, such as a PC, the four
bytes of that number are D4, C3, B2, and A1, in order.
(big-endian little-endian 两种文件存储数据格式,“endian”这个词出自《格列佛游记》。小人国的内战就源于吃鸡蛋时是究竟从大头(Big-Endian)敲开还是从小头(Little-Endian)敲开,由此曾发生过六次叛乱,其中一个皇帝送了命,另一个丢了王位。 我们一般将endian翻译成“字节序”,将big endian和little endian称作“大尾”和“小尾”。)
That number serves two purposes:
1) it indicates that the file is a libpcap-format file;
2) it indicates the byte order of the numbers in the file header
and the header written in front of the packet data.
If, when a program or library routine reads the file header, the number
is hex A1B2C3D4, the other numbers in the header are in the byte order
of the machine reading the file, and do not need to be byte-swapped.
If, however, it's D4C3B2A2, they're in the opposite byte order of the
machine reading the file, so the program or library routine needs to
byte-swap them.
The current major and minor version numbers for libpcap-format files are
2 and 4, respectively.
The two unused fields are set to 0 by libpcap (as used by tcpdump and
many other programs) and the internal library Ethereal uses to write
capture files. I don't know whether they were ever used.
The maximum length of the saved data in packets is the "snapshot length"
specified when the capture was done, e.g. with "-s" for tcpdump or
Tethereal, and "-s" or the appropriate dialog box option for Ethereal,
causing no more than that many bytes of packet data to be saved to the
file.
The link-layer type is a number specifying the type of link-layer
headers in the capture, e.g. Ethernet, FDDI, Token Ring, etc..
Following that header are a sequence of records, one per packet. Each
record consists of a per-packet header followed by the raw packet data.
The per-packet header contains:
a time stamp, consisting of 2 32-bit numbers, giving the time
the packet arrived, in seconds since January 1, 1970, 00:00:00
GMT in the first number, and microseconds since the second in
question in the second number;
a 32-bit number giving the number of bytes of data for that
packet that are in the file;
frame length stored in the capture file
a 32-bit number givin the number of bytes of data that were in
the packet - this could be larger than the previous number.
frame length on the wire
So the data before the first MAC address, in an Ethernet capture,
consists of *two separate* pieces:
1) the per-file header;
2) the per-packet header.
There is only one per-file header, at the beginning of the file. There
is one per-packet header before *each* packet's data.
Note that libpcap includes routines to read and write these files, so
one rarely needs to know the details of this - if you want to write a
program to read or write those files, you should try to use the libpcap
routines to read them ("pcap_open_offline()", "pcap_loop()",
"pcap_close()") or to write them ("pcap_dump_open()", "pcap_dump()",
"pcap_dump_close()") if you can.
- 抓包文件的格式说明
- DPDK pdump抓包说明
- cap文件的格式说明
- 关于网络协议的抓包以及首部格式
- ip包格式说明
- ip包格式说明
- ip包格式说明
- tcpdump (wireshark) 抓包格式分析
- wireshark抓的包太大,怎么拆分成多个文件呢?
- pcapng文件的python解析实例以及抓包补遗
- tcpdump抓包保存文件的结构分析
- Oracle跟踪文件的格式说明
- HTTP POST上传文件的格式说明
- intel HEX文件的格式说明
- Xcode工程文件的格式说明
- Fiddler抓包-抓APP的请求
- tcpdump使用时tcp三次握手抓包,ack置1的一些说明
- Oracle跟踪文件trace文件的格式说明
- Java IO Stream 总结
- ANSI C中取得结构体字段偏移值的惯用法
- 黑客常用命令大全
- XMLRPC简介
- 校赛预留一篇
- 抓包文件的格式说明
- 博恩·崔西的时间法则
- 系统大玩家 无忧装机GHOST XP V7.0
- GhostXP_SP2电脑公司特别版_v8.5_island完美版
- 梦里方知此身背
- C++ 程序文档生成器介绍(doxygen)
- 深入Java的equals方法
- 珍视你的信用资产-信用卡理财系列之四
- linux源代码阅读工具(转载)