从 PPP 接口捕获数据包的问题
我正在使用libpcap从PPP接口捕获数据,并添加过滤器,如下所示:
char filter_exp[] = "ip";
但是当我在回调函数中嗅探数据包时,我发现ip数据包的格式不
正确,标头大小不是20字节。
当我从 eth0 捕获数据包时,一切正常。
谁能告诉我如何通过libpcap从PPP接口获取正确的ip数据包,谢谢!
I am using libpcap to capture data from PPP interface, and add filter as follow:
char filter_exp[] = "ip";
But when i sniff the packets in callback function, I found that the format of ip packet is
not correct, the header size is not 20 byte.
And when I capture packets from eth0, everything is normal.
So who can tell me how to get the correct ip packets from PPP interface by libpcap, thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您的回调函数正在使用
pcap_t上的pcap_datalink()调用的结果来确定如何解析数据包,或者您根据结果指定了不同的回调函数pcap_datalink(),对吗?如果不是,您可能会假设数据包将具有特定的链路层标头类型,但这始终是错误的做法。
PPP 数据包不一定具有与以太网数据包相同的链路层标头类型(尽管在使用 WinPcap 的 Windows 上,它们可能具有相同的链路层标头类型!)。它们也可能没有 PPP 标头;特别是,在 Linux 上,它们将具有 Linux 熟捕获标头 因为,至少在有一点,内核会剥离 PPP 标头并提供不链路层标头,因此 libpcap 必须进行“熟”捕获才能获得网络层协议类型。对于 Linux 上的 PPP 设备,
pcap_datalink()将返回DLT_LINUX_SLL,而不是DLT_PPP,以表明这一点。Your callback function is using the results of a
pcap_datalink()call on thepcap_tto determine how to parse the packets, or you've specified different callback functions depending on the results ofpcap_datalink(), right?If not, you are probably assuming that the packets will have a particular link-layer header type, which is always the wrong thing to do.
PPP packets won't necessarily have the same link-layer header type as Ethernet packets (although on Windows with WinPcap, they might have the same link-layer header type!). They might not have a PPP header, either; in particular, on Linux, they will have a Linux cooked capture header because, at least at one point, the kernel would strip the PPP header and supply no link-layer header, so libpcap had to do a "cooked" capture in order to be able to get the network-layer protocol type.
pcap_datalink()will returnDLT_LINUX_SLL, notDLT_PPP, for PPP devices on Linux, to indicate this.PPP 和IP 是完全不同的协议。如果您通过 PPP 传输 IP 数据报,则将它们包装在 PPP 标头中,并将 IP 数据包作为有效负载。在数据包成为 IP 数据包之前,您需要从数据包中去除 PPP 信息。
PPP and IP are completely different protocols. If you're transferring IP datagrams over PPP then you're wrapping them in the PPP header with the IP packet as the payload. You'll need to strip the PPP information from the packet before it's an IP packet.