如何在 C# 中打开 pcap-ng 文件
到目前为止,我一直在使用 WinPcap 在 C# 中打开 pcap 文件:
[DllImport("wpcap.dll", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Ansi)]
private extern static IntPtr pcap_open_offline(string fname, byte[] errbuf);
现在我想做一些类似于打开 pcap-ng 文件的操作,以便获得纳秒分辨率(我有一个新的嗅探器:-))
不幸的是 WinPcap 失败了错误:“错误的转储文件格式”
有人知道如何在 Windows 中使用 pcap-ng 吗?
干杯, 佩德罗
Up to now I have been using WinPcap to open pcap files in C#:
[DllImport("wpcap.dll", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Ansi)]
private extern static IntPtr pcap_open_offline(string fname, byte[] errbuf);
Now I want to do something similar to open pcap-ng files so I get nano-second resolution (I got a new sniffer :-) )
Unfortunately WinPcap fails with this error: "bad dump file format"
Anyone knows how to work with pcap-ng in Windows?
Cheers,
Pedro
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
Libpcap 1.1.x 及更高版本支持读取一些 pcap-ng 文件(所有接口都具有相同的链路层标头类型和快照长度的文件);但是,没有基于 libpcap 1.1.x 或 1.2.x 的 WinPcap 版本,因此没有可以读取 pcap-ng 文件的 WinPcap 版本。因此,在 WinPcap 发布之前,WinPcap 周围的 CLR 语言包装器都无法读取 pcap-ng 文件。
此外,libpcap/WinPcap API 目前不返回纳秒分辨率的时间戳,因此即使您确实使用 libpcap 读取了具有纳秒分辨率时间戳的文件,您也不会看到纳秒分辨率时间戳。
目前,您必须编写自己的代码,或者编写 Wireshark 的 Wiretap 库的包装器。 (请注意,从一个 Wireshark 主要版本到另一个版本,Wiretap 的 API 可能会发生重大且不兼容的更改。)
Libpcap 1.1.x and later support reading some pcap-ng files (ones where all the interfaces have the same link-layer header type and snapshot length); however, there is no WinPcap release that's based on libpcap 1.1.x or 1.2.x, so there is no WinPcap release that can read pcap-ng files. Thus, no CLR-language wrapper around WinPcap will be able to read pcap-ng files until such a WinPcap release comes out.
In addition, the libpcap/WinPcap API currently doesn't return time stamps with nanosecond resolution, so even if you did read a file with nanosecond-resolutions time stamp with libpcap, you wouldn't see nanosecond-resolution time stamps.
For now, you'd have to write your own code, or write a wrapper around Wireshark's Wiretap library. (Note that Wiretap's API is subject to significant and incompatible changes from one Wireshark major release to another.)
我已将 WinPcap 移植到 libpcap 1.7.3,现在它可以打开 pcap-ng 文件并且支持纳秒时间戳分辨率。
I've ported WinPcap to libpcap 1.7.3 and now it can open pcap-ng files and supports nanoseconds timestamp resolution.
您尝试过使用 SharpPcap 吗?不确定它是否支持(现在无法尝试),但它确实支持打开捕获文件iirc:
http://sourceforge.net/apps/mediawiki/sharppcap/index.php ?title=Main_Page
Did you try using sharpPcap? not sure if it supports it (can't try it right now), but it does support opening capture files as well iirc:
http://sourceforge.net/apps/mediawiki/sharppcap/index.php?title=Main_Page