Pcap捕获合并问题
我有两个 pcap 文件
$ capinfos cap1_stego0.pcap
File name: cap1_stego0.pcap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Raw IP
Number of packets: 713
,
$ capinfos cap1_wlan0.pcap
File name: cap1_wlan0.pcap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
我想合并它们,但封装不同。如果我使用
mergecap -v -w asd.pcap cap1_stego0.pcap cap1_wlan0.pcap -T rawip
或
mergecap -v -w asd.pcap cap1_wlan0.pcap cap1_stego0.pcap -T rawip
Wireshark 无法识别过去的第二个文件,并将 cap1_wlan0.pcap 数据包或 cap1_stego0.pcap 数据包显示为 原始数据包数据 分别。还使用“tcpslice”删除 cap1_wlan0.pcap 的以太网层(使两个文件都具有 rawip 封装),显示无法识别的数据包数据。
我该怎么办?有没有办法将 pcap 与不同封装合并或转换 eth->rawip 或 rawip->eth?谢谢。
I have two pcap files
$ capinfos cap1_stego0.pcap
File name: cap1_stego0.pcap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Raw IP
Number of packets: 713
and
$ capinfos cap1_wlan0.pcap
File name: cap1_wlan0.pcap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
I want to merge them, but the incapsulation is different. If i use
mergecap -v -w asd.pcap cap1_stego0.pcap cap1_wlan0.pcap -T rawip
or
mergecap -v -w asd.pcap cap1_wlan0.pcap cap1_stego0.pcap -T rawip
Wireshark doesn't recognize the second past file and shows packets of cap1_wlan0.pcap or packets of cap1_stego0.pcap as raw packet data respectively. Also using "tcpslice" to remove ethernet layer of cap1_wlan0.pcap (to have both file with rawip encapsulation) show me unrecognized packet data.
How can i do? there is a way to merge pcap with different encapsulation or to convert eth->rawip or rawip->eth? Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
将 RAW_IP 文件转换为以太网封装文件(然后可以与其他以太网封装文件合并)的一种方法:
使用 tshark 从 RAW_IP 文件获取数据包的十六进制转储:
( grep 用于从 tshark 输出中删除“摘要”行)。
使用text2pcap转换回pcap文件,同时添加虚拟文件
以太网标头:
如果您想保留时间戳,则必须使用 tshark 输出进行一些操作
获取一个文本文件,其中包含 text2pcap 可接受的格式的时间戳,并且还包含十六进制数据包信息。
[[
tcpslice 是否可以选择删除以太网标头?
(查看手册页,似乎 tcpslice 用于从 pcap 文件中提取时间范围)。
如果您确实有办法从捕获文件中删除以太网标头,则必须确保生成的 pcap 文件的封装类型为 RAW_IP,然后再尝试使用wireshark、mergecap 等读取它。
另请注意,mergecap 的 -T 开关仅强制文件中指定的封装类型;实际的封装没有改变(即没有添加/更改/删除字节)。
]]
One way to convert a RAW_IP file to an ethernet encapsulated file (which can then be merged with other ethernet-encapsulated files):
Use tshark to get a hex dump of the packets from the RAW_IP file:
( grep is used to remove the "summary" lines from the tshark output).
Use text2pcap to convert back to a pcap file while adding dummy
ethernet headers:
If you want to keep the timestamps, you'll have to play around a bit with the tshark output
to get a text file which contains the timestamps in a format which text2pcap will accept and also contains the hex packet info.
[[
Does tcpslice have an option to remove ethernet headers ?
(Looking at the man page, it appears that tcpslice is used to extract time-ranges from a pcap file).
If you do have a way to remove ethernet headers from a capture file, you must make sure the resulting pcap file has an encapsulation type of RAW_IP before trying to read it with wireshark, mergecap , etc).
Also note that the -T switch to mergecap just forces the encapsulation type specified in the file; The actual encapsulation isn't altered (i.e., no bytes are added/changed/deleted).
]]
对于合并 pcap 文件,请尝试替代实用程序 - tcpmerge
示例合并命令:
./tcpmerge asd.pcap cap1_wlan0.pcap cap1_stego0.pcap OUTFILEMERGED.pcap
For merge pcap files try alternative utility - tcpmerge
sample merge command:
./tcpmerge asd.pcap cap1_wlan0.pcap cap1_stego0.pcap OUTFILEMERGED.pcap