好吧
早就想寫一個博客了,希望可以像大佬一樣,不過一直沒有行動。既然已經讀研了,什么都玩過了,雖然也沒有很想好好學習,但是以后還是要吃飯的呀。就當記錄學習心得,也當做筆記吧,希望可以早日脫離弱雞。
本來想給博客寫一篇開題博客的,因為比較忙(懶)沒時間,所以我決定三天內把開篇博客寫了,嗯,這不重要。沒想到第一篇博客是寫pcap文件格式的。
下面正文:
Pcap文件格式實際上是抓取網絡數據包的標准格式。具體的說明點擊這里。
Pcap文件是二進制流文件,由一個文件頭和若干個數據頭+數據信息組成。
|Global Header|Packet Header|Packet Data|Packet Header|Packet Data|...|
文件頭(24位)
| bytes | type | Name | Description |
|---|---|---|---|
| 4 | uint32 | magic_number | 'A1B2C3D4' means the endianness is correct |
| 2 | uint16 | version_major | major number of the file format |
| 2 | uint16 | version_minor | minor number of the file format |
| 4 | int32 | thiszone | correction time in seconds from UTC to local time (0) |
| 4 | uint32 | sigfigs | accuracy of time stamps in the capture (0) |
| 4 | uint32 | snaplen | max length of captured packed (65535) |
| 4 | uint32 | network | type of data link (1 = ethernet) |
數據包頭(16位)
| bytes | type | Name | Description |
|---|---|---|---|
| 4 | uint32 | ts_sec | timestamp seconds |
| 4 | uint32 | ts_usec | timestamp microseconds |
| 4 | uint32 | incl_len | number of octets of packet saved in file |
| 4 | uint32 | orig_len | actual length of packet |
數據包數據就是以太網數據幀了,以太網數據幀頭(16位),IP數據報頭(20位),TCP數據報頭(20位),之后就是真正的數據信息了。
數據直接緊跟在數據頭后,沒有校准。
相關庫:
libpcap: the origin of this file format (for UN*X based systems)
WinPcap: Windows based version of libpcap
There are wrappers for various programming languages available (but you must have one of the above libs installed):
Net::Pcap: Perl based libpcap wrapper
Jpcap: JAVA based libpcap wrapper
python-libpcap: Python based libpcap wrapper
Ruby/Pcap: Ruby based libpcap wrapper
下一篇文章寫python處理pcap文件。