碼上快樂

相關內容    簡體    繁體

Linux cooked-mode capture 格式轉換

本文轉載自   查看原文   2018-08-30 17:22   2065    Linux cooked capture/ 網絡/ tcpdump/ tcprewrite

 

tcpdump抓包時,如果-i選項指定為一個網卡地址,那么抓取的數據包數據鏈路層是以太網頭部;如果指定any,則以太網頭部將被替換為linux cooked capture頭部

 # tcpdump -i any -w linux_sll.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

 

 # tcpdump -i eth1 -w enet.pcap
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

 

tcpdump抓包時可以通過 -y 選項來指定data link type,不過測試發現 -i 選項指定 any 時,不支持抓獲的包的data link type 為以太網 :

 # tcpdump -i any -w test.pcap -y EN10MB
tcpdump: EN10MB is not one of the DLTs supported by this device
 # tcpdump -i eth1 -w test.pcap -y EN10MB
tcpdump: data link type EN10MB
 #

 

這時,若需要將linux cooked capture格式的包轉換為Ethernet格式,有那么幾種方法:

1. 寫代碼讀出每一個包后再改寫到新文件(使用libpcap或者基於pcap頭部結構體偏移);

2. tcpdump 3.0+ 版本下,可以用tcprewrite直接改寫,這應該是最快捷的方法;

DLT Plugins
As of 3.0, tcprewrite uses plugins to support different DLT/Layer 2 types. This not only makes the 
code easier to maintain, but also helps make things clearer for users regarding what is and isn't 
supported. Each plugin may support reading and/or writing packets. By default, the plugin used to 
read packets is also used for output, but you can override the output plugin using the --dlt option. 
Changing the DLT plugin allows you to convert the packets from one DLT/Layer 2 type to another type. 
This allows you for example to capture traffic on say an Ethernet interface and replay over Cisco 
HDLC or capture on a BSD Loopback interface and replay over Ethernet.

Plugins supported in output mode:

Ethernet (enet)
Cisco HDLC (hdlc)
User defined Layer 2 (user)
Plugins supported in input mode:

Ethernet
Cisco HDLC
Linux SLL
BSD Loopback
BSD Null
Raw IP
802.11
Juniper Ethernet (version >= 4.0)
Hence, if you have a pcap in one of the supported input DLT types, you can convert it to one of the 
supported output DLT type by using the --dlt=<output> option. Depending on the input DLT you may 
need to provide additional DLT plugin flags.

 

tcprewrite轉換命令如下:

 # tcpdump -r linux_sll.pcap
reading from file linux_sll.pcap, link-type LINUX_SLL (Linux cooked)
 # tcprewrite --dlt=enet --infile=linux_sll.pcap  --outfile=enet.pcap
 # tcpdump -r enet.pcap
reading from file enet.pcap, link-type EN10MB (Ethernet)
 #

 

唯一有點問題的,是轉換后的數據的Destination-Mac為空, 對這個字段有需求的要注意下:

 

可以參考的網址:

https://wiki.wireshark.org/SLL

http://www.tcpdump.org/linktypes.html

http://tcpreplay.synfin.net/wiki/tcprewrite

 

其它:

# tips 刪除vlan
# tcprewrite --enet-vlan=del --infile=enet.pcap --outfile=output.pcap

  


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 linux格式批量轉換為dos格式 Linux下時間格式轉換及獲取方法 Linux 如何查看文件編碼格式及轉換文件編碼 linux命令實現音頻格式轉換和拼接 Linux dos2unix命令——轉換dos文件格式成unix文件格式,unix2dos——轉換unix下文件格式成dos下文件格式 Linux下dos2unix命令將windows文件編碼格式dos轉換成Unix格式 linux啟動錯誤-you are in emergency mode RedHat/CentOS(Linux)雙網卡bond(mode=6) 常用日期格式轉換 YUV與RGB格式轉換
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM