PCAP捕获文件头怎么写?
在不使用 libpcap 的情况下,我尝试编写一个符合 pcap 文件格式的日志文件(格式)。该文件需要可由 WireShark 读取。到目前为止,我已经用 C++ 编写了这个:
struct pcapFileHeader {
uint32_t magic_number; /* magic number */
uint16_t version_major; /* major version number */
uint16_t version_minor; /* minor version number */
int16_t thiszone; /* GMT to local correction */
uint32_t sigfigs; /* accuracy of timestamps */
uint32_t snaplen; /* max length of captured packets, in octets */
uint32_t network; /* data link type */
};
ofstream fileout;
fileout.open("file.pcap", ios::trunc);
pcapFileHeader fileHeader;
fileHeader.magic_number = 0xa1b2c3d4;
fileHeader.version_major = 2;
fileHeader.version_minor = 4;
fileHeader.thiszone = 0;
fileHeader.sigfigs = 0;
fileHeader.snaplen = 65535; //(2^16)
fileHeader.network = 1; //Ethernet
fileout << fileHeader.magic_number <<
fileHeader.version_major <<
fileHeader.version_minor <<
fileHeader.thiszone <<
fileHeader.sigfigs <<
fileHeader.snaplen <<
fileHeader.network;
fileout.close();
所以这应该创建一个空白捕获文件,但是当我在 Wireshark 中打开它时,我会看到:
文件“hello.pcap”似乎在数据包或其他数据的中间被缩短。
我尝试以二进制模式打开输出文件,但这没有帮助。我会将其发布在 WireShark 论坛中,但我认为这是用户错误,而不是 WireShark 的问题。
非常感谢您的帮助。
Without using libpcap I am trying to write a log file that adheres to the pcap file format (format). This file needs to be readable by WireShark. So far I've written this in C++:
struct pcapFileHeader {
uint32_t magic_number; /* magic number */
uint16_t version_major; /* major version number */
uint16_t version_minor; /* minor version number */
int16_t thiszone; /* GMT to local correction */
uint32_t sigfigs; /* accuracy of timestamps */
uint32_t snaplen; /* max length of captured packets, in octets */
uint32_t network; /* data link type */
};
ofstream fileout;
fileout.open("file.pcap", ios::trunc);
pcapFileHeader fileHeader;
fileHeader.magic_number = 0xa1b2c3d4;
fileHeader.version_major = 2;
fileHeader.version_minor = 4;
fileHeader.thiszone = 0;
fileHeader.sigfigs = 0;
fileHeader.snaplen = 65535; //(2^16)
fileHeader.network = 1; //Ethernet
fileout << fileHeader.magic_number <<
fileHeader.version_major <<
fileHeader.version_minor <<
fileHeader.thiszone <<
fileHeader.sigfigs <<
fileHeader.snaplen <<
fileHeader.network;
fileout.close();
So this should make a blank capture file, but when I open it in Wireshark I am greeted with:
The file "hello.pcap" appears to have been cut short in the middle of a packet or other data.
I've tried opening the output file in binary mode but that didn't help. I would post this in the WireShark forum, but I think this is user error, not something wrong with WireShark.
Help would be much appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
<<写入格式化为文本的数字(例如,五个字符的字符串“65535”,而不是表示该数字的四个字节)。要输出二进制数据,请使用 ios::binary 打开文件并使用 write。该语句将写入整个标头:
读取器检测到字节顺序,因此只要结构成员之间没有填充,它就是可移植的。
请注意,
thiszone应为int32_t。<<writes the numbers formatted as text (e.g., the five-character string "65535" instead of four bytes representing that number).To output binary data open the file with
ios::binaryand usewrite. This statement will write the entire header:The endianness is detected by the reader, so this is portable as long as there's no padding between the struct members.
Note that
thiszoneshould beint32_t.