pcap struct pcap_pkthdr len 与 caplen
我们在 Linux 上使用 libpcap 嗅探数据包 我们在每个数据包上获得的标头如下所示:
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
现在,据我了解,caplen 是我们捕获的数据的长度 len 是线路上数据包的长度。在某些情况下(例如,打开 pcap 设备时将 snaplen 设置得太低),我们可能只捕获数据包的部分内容,该长度将为“caplen”,而“len”是原始长度。因此,caplen 应等于或小于 len,但绝不能大于 len。
这是正确的理解吗?我们正在看到卡普伦>某些机器上的 len
We're sniffing packets using libpcap on linux
The header we get on each packet looks like:
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
Now, It is my understanding that caplen is the length of the data we have captured while
len is the length of the packet on the wire. In some cases (e.g. when setting the snaplen too low when opening the pcap device) we might capture only parts of the packet, that length will be 'caplen', while 'len' is the original length. Thus, caplen should be equal to or less than len, but never greater than len.
Is that a proper understanding ? We're seing caplen > len on some machines
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
是的,您的理解是正确的
caplen始终小于Len。有时我们不需要捕获整个数据包。但是如果有机会的话,为什么不捕获整个数据包呢?
因为在网络流量大的情况下,这不是一个好主意。
如果我们不捕获线路上出现的整个数据包,我们实际上不会丢失宝贵的数据吗?
不。实际上这取决于您的目的,如果您只想根据协议和应用程序对数据包进行分类,您只需要大约 14 字节(以太网)加上 20 字节(Ip)+ 再加上另外 20 字节(Tcp)因此,您显然只需要 54 字节的数据来根据协议对数据包进行分类,因此将处理大小从 pcappkthdr->len 减少到 pcappkthdr-> 可以节省大量负载和时间;caplen :)
关于
snaplen有时大于len的问题:如果数据包中的标头被损坏(意味着如果标头长度值以某种方式混乱),则捕获的长度将大于数据包的实际长度。
Yes your understanding is right
caplenis always less thanLen. Sometimes we don't need to capture the whole packet .But why wouldn't you capture the whole packet given a chance ?
Because in a heavy network traffic that wouldn't be a good idea .
Aren't we actually losing precious data if we don't capture the whole packet that appears on the wire ?
No. Actually it depends on your purpose , if you just want to classify packets based on the protocols and the application it is destined to , u just need around 14 bytes( Ethernet ) plus 20 bytes ( Ip ) + plus another 20 ( Tcp ) thus you apparently need only 54 bytes of data to classify packets based on protocols , so a lot of load and time is saved on reducing the processing size from
pcappkthdr->lentopcappkthdr->caplen:)Regarding your question about
snaplenbeing greater thanlensometimes:If the headers in the packets are corrupted ( meaning that if the headerlength values are messed up somehow ) then the captured length would be greater than the actual length of the packet .
如果卡普伦>莱恩,这是一个错误;您使用什么版本的 libpcap?
If caplen > len, that's a bug; what version of libpcap are you using?
您的理解是正确的,至少基于 pcap 手册页。
caplen 是捕获中可用的数据量。 len 是数据包的实际长度。
我不知道有任何情况会给你一个 caplen >长度。我通常认为它们是相等的,因为我的 snaplen 足够高。
Your understanding is correct, at least based on the pcap man page.
caplen is the amount of data available to you in the capture. len was the actual length of the packet.
I'm not aware of any cases that would give you a caplen > len. I usually seem them being equal as my snaplen is sufficiently high.