pcap函数:pcap_open()问题
当我在计算机上成功找到设备并调用 pcap_open(...) 时,这是否只会向我提供往返于我的计算机的数据包?网络上的其他计算呢?它是否显示尚未发送的数据包?
When I successfully find a device on my computer, and make the call to pcap_open(...) Is this giving me packets only going to and from my computer? What about other computes on the network? Does it show me packets that haven't been sent yet?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
简短的回答:
取决于,取决于,或者不。
较长的答案:
在回答问题之前,您需要了解一些事情。首先,您需要知道在以太网上发送的每个数据包都将包含指定源地址和目标地址的以太网标头。这些地址属于以太网上发送方和预期接收方的以太网卡。请注意,这些与 IP 地址不同。 (有关如何查找以太网地址的信息,请参阅地址解析协议 (ARP))。
当计算机接收到以太网标头的目标地址与自己的以太网卡地址相匹配的数据包时,就会对其进行处理。否则,它会丢弃它。
例如,如果您有一堆计算机插入集线器,那么当一台计算机向另一台计算机发送数据包时,所有计算机都会看到它,因为集线器只是广播它们在所有附加链路上收到的每个数据包。但实际上只有一台计算机会处理数据包,即以太网标头中指定的计算机。
现在,进入 pcap。您可以在混杂模式或非混杂模式下捕获数据包(不确定是否有更好的术语)。如果您的接口处于混杂模式,pcap 将显示您的接口上收到的所有数据包,即使目的地该数据包与该接口的目标不匹配。在非混杂模式下,它只会显示目标字段与您的接口地址匹配的数据包。
现在来回答大家的问题。
您将始终看到从您的计算机发送的数据包,并且始终看到专门发往您的计算机的数据包。您可能会看到从其他计算机发送的数据包,具体取决于您的网络。您可能会看到发送到网络上其他计算机的数据包,具体取决于您的网络。例如,如果您在 WiFi 接口上捕获数据包,您可以看到从其他计算机发送的数据包(因为它们通过空中广播,范围内的任何人都可以看到它们)。对于集线器来说也是如此,它广播它收到的所有数据包。如果您的适配器处于混杂模式,pcap 将显示它们,因此您可以看到发送到/来自其他计算机的流量。另一方面,如果您的计算机插入交换机或路由器,您将只能看到自己的流量,因为交换机/路由器不会向您发送其他计算机的流量(请阅读集线器/交换机/路由器以了解原因)。最后,它不会显示尚未发送的数据包,因为它们必须先从接口发送出去,然后 pcap 才能看到它们。
Short answers:
Depends, depends, and no.
Longer answers:
You need to understand a few things before the questions can be answered. First, you need to know that every packet sent on an ethernet network will contain an Ethernet header that specifies a source and destination address. These addresses belong to the Ethernet cards of the sender and intended receiver on the Ethernet network. Note, these are different from IP addresses. (See the address resolution protocol (ARP) for how the Ethernet addresses are found).
When a computer receives a packet whose Ethernet header's destination address matches its own Ethernet card's address, it processes it. Otherwise, it discards it.
If you have a bunch of computers plugged into a hub, for example, then when one computer sends a packet to another computer, ALL of the computers will see it since hubs simply broadcast every packet they receive on all the attached links. Only one computer will actually process the packet though, and that is the computer specified in the Ethernet header.
Now, onto pcap. You can capture packets in promiscuous mode or non-promiscuous mode (not sure if there is a better term for that).If your interface is in promiscuous mode, pcap will show ALL packets that are received on your interface, even if the destination of the packet does not match the destination of that interface. In non-promiscuous mode it will only show packets' whose destination field matches the address of your interface.
Now to answer your questions.
You will always see packets that are sent FROM your computer and always see packets that are destined specifically TO your computer. You MAY see packets sent FROM other computers depending on your network. You MAY see packets sent TO other computers on your network depending on your network. For example, if you are capturing packets on a WiFi interface, you can see packets that are destined and sent from other computers (because they are broadcast over the air and anyone in range can see them). Same thing for a hub, which broadcasts all packets it receives. If your adapter is in promiscuous mode, pcap will show them hence you can see traffic sent to/from other computers. If, on the other hand, your computer is plugged into a switch or router, you will only see your traffic because the switch/router will not send you other computer's traffic (read up on hubs/switches/routers to see why). Lastly, it will NOT show you packets that have not been sent yet since they have to be sent out an interface before pcap can see them.