• Linux cooked-mode capture 格式转换

    tcpdump抓包时,如果-i选项指定为一个网卡地址,那么抓取的数据包数据链路层是以太网头部;如果指定any,则以太网头部将被替换为linux cooked capture头部

     # tcpdump -i any -w linux_sll.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
     # tcpdump -i eth1 -w enet.pcap
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

    tcpdump抓包时可以通过 -y 选项来指定data link type,不过测试发现 -i 选项指定 any 时,不支持抓获的包的data link type 为以太网 :

     # tcpdump -i any -w test.pcap -y EN10MB
tcpdump: EN10MB is not one of the DLTs supported by this device
 # tcpdump -i eth1 -w test.pcap -y EN10MB
tcpdump: data link type EN10MB
 #

    这时,若需要将linux cooked capture格式的包转换为Ethernet格式,有那么几种方法:

    1. 写代码读出每一个包后再改写到新文件(使用libpcap或者基于pcap头部结构体偏移);

    2. tcpdump 3.0+ 版本下,可以用tcprewrite直接改写,这应该是最快捷的方法;

    DLT Plugins
As of 3.0, tcprewrite uses plugins to support different DLT/Layer 2 types. This not only makes the 
    code easier to maintain, but also helps make things clearer for users regarding what is and isn't 
    supported. Each plugin may support reading and/or writing packets. By default, the plugin used to 
    read packets is also used for output, but you can override the output plugin using the --dlt option. 
    Changing the DLT plugin allows you to convert the packets from one DLT/Layer 2 type to another type. 
    This allows you for example to capture traffic on say an Ethernet interface and replay over Cisco 
    HDLC or capture on a BSD Loopback interface and replay over Ethernet.

Plugins supported in output mode:

Ethernet (enet)
Cisco HDLC (hdlc)
User defined Layer 2 (user)
Plugins supported in input mode:

Ethernet
Cisco HDLC
Linux SLL
BSD Loopback
BSD Null
Raw IP
802.11
Juniper Ethernet (version >= 4.0)
Hence, if you have a pcap in one of the supported input DLT types, you can convert it to one of the 
    supported output DLT type by using the --dlt=<output> option. Depending on the input DLT you may 
    need to provide additional DLT plugin flags.

    tcprewrite转换命令如下:

     # tcpdump -r linux_sll.pcap
reading from file linux_sll.pcap, link-type LINUX_SLL (Linux cooked)
 # tcprewrite --dlt=enet --infile=linux_sll.pcap  --outfile=enet.pcap
 # tcpdump -r enet.pcap
reading from file enet.pcap, link-type EN10MB (Ethernet)
 #

    唯一有点问题的,是转换后的数据的Destination-Mac为空, 对这个字段有需求的要注意下:

    可以参考的网址:

    https://wiki.wireshark.org/SLL

    http://www.tcpdump.org/linktypes.html

    http://tcpreplay.synfin.net/wiki/tcprewrite

    其它:

    # tips 删除vlan
# tcprewrite --enet-vlan=del --infile=enet.pcap --outfile=output.pcap

      

    Excellence, is not an act, but a habit.
    作者:子厚.
    出处:http://www.cnblogs.com/aios/
    本文版权归作者和博客园共有,欢迎转载、交流、点赞、评论,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接。

  • 相关阅读:
    node.js入门(二) 第一个程序 Hello World
    node.js 入门(一)安装
    Windows平台字符的存储和输出分析
    设定MS SQL Server 2008定期自动备份
    OpenCV学习笔记(一)安装及运行第一个OpenCV程序
    Emgu学习笔记(一)安装及运行Sample
    vue脚手架 build-config文件夹(跨域/打包)相关配置
    fetch下载文件--统一拦截导出文件(含JAVA)
    git 避免重复输入密码
    form serialize获取不到上传文件数据解决办法
  • 原文地址:https://www.cnblogs.com/aios/p/9545378.html
Copyright © 2020-2023  润新知