好吧
早就想写一个博客了,希望可以像大佬一样,不过一直没有行动。既然已经读研了,什么都玩过了,虽然也没有很想好好学习,但是以后还是要吃饭的呀。就当记录学习心得,也当做笔记吧,希望可以早日脱离弱鸡。
本来想给博客写一篇开题博客的,因为比较忙(懒)没时间,所以我决定三天内把开篇博客写了,嗯,这不重要。没想到第一篇博客是写pcap文件格式的。
下面正文:
Pcap文件格式实际上是抓取网络数据包的标准格式。具体的说明点击这里。
Pcap文件是二进制流文件,由一个文件头和若干个数据头+数据信息组成。
|Global Header|Packet Header|Packet Data|Packet Header|Packet Data|...|
文件头(24位)
| bytes | type | Name | Description |
|---|---|---|---|
| 4 | uint32 | magic_number | 'A1B2C3D4' means the endianness is correct |
| 2 | uint16 | version_major | major number of the file format |
| 2 | uint16 | version_minor | minor number of the file format |
| 4 | int32 | thiszone | correction time in seconds from UTC to local time (0) |
| 4 | uint32 | sigfigs | accuracy of time stamps in the capture (0) |
| 4 | uint32 | snaplen | max length of captured packed (65535) |
| 4 | uint32 | network | type of data link (1 = ethernet) |
数据包头(16位)
| bytes | type | Name | Description |
|---|---|---|---|
| 4 | uint32 | ts_sec | timestamp seconds |
| 4 | uint32 | ts_usec | timestamp microseconds |
| 4 | uint32 | incl_len | number of octets of packet saved in file |
| 4 | uint32 | orig_len | actual length of packet |
数据包数据就是以太网数据帧了,以太网数据帧头(16位),IP数据报头(20位),TCP数据报头(20位),之后就是真正的数据信息了。
数据直接紧跟在数据头后,没有校准。
相关库:
libpcap: the origin of this file format (for UN*X based systems)
WinPcap: Windows based version of libpcap
There are wrappers for various programming languages available (but you must have one of the above libs installed):
Net::Pcap: Perl based libpcap wrapper
Jpcap: JAVA based libpcap wrapper
python-libpcap: Python based libpcap wrapper
Ruby/Pcap: Ruby based libpcap wrapper
下一篇文章写python处理pcap文件。