魔术数为“ 0x4d3cb2a1”的PCAP文件与PCAP文件有什么区别?和“ 0xd4c3b2a1”? [英] What's the difference between a PCAP file with a magic number of "0x4d3cb2a1" and "0xd4c3b2a1"?
问题描述
我有两个PCAP文件: A
和 B
。
A
在 d4 c3 b2 a1
, B
在 4d 3c b2 a1
的标头中有一个幻数。根据wireshark文档( http://wiki.wireshark.org/Development/LibpcapFileFormat ),只有 0xd4c3b2a1
和 0xa1b2c3d4
是有效的幻数,这使我认为B不是有效的幻数。 / p>
在Linux上运行文件
对此进行了备份,并输出了文件A
正在:
tcpdump捕获文件(小端)-2.4版(以太网,捕获长度为65535)
文件B
给出:
数据
它看起来无论写什么 B
都是用交换(小尾数)格式写的,但是写的第一个twp字节带有半字节。考虑到我希望big-endian系统以相反的方式而不是单个字节来写整个int32,给出的幻数为 1a 2b 3c 4d
。 / p>
B
是有效文件吗?如果是这样,为什么?
是否可以用任意顺序将32位整数和单个半字节写入一个字节中?魔术数字为 0x4d3cb2a1和 0xd4c3b2a1的PCAP文件有什么区别?
幻数0xa1b23c4d或0x4d3cb2a1是一个pcap文件,其中数据包时间戳以秒和 nanoseconds 为单位。
幻数0xa1b2c3d4或0xd4c3b2a1是一个常规 pcap文件,其中数据包时间戳以秒和微秒为单位。
在哪里获取文件B? libpcap唯一以纳秒分辨率格式写入文件的标准版本是libpcap Git树主干上的版本,只有在使用libpcap的程序正在读取另一种纳秒分辨率格式或显式请求时,才会发生这种情况。网络适配器提供的纳秒级时间戳(当前仅在Linux上受支持,并且可能需要足够新的内核)。那也是唯一可以读取它们的版本。虽然最新版本的Wireshark可以读取它们,但Wireshark默认不会生产它们。
I've got two PCAP files, A
and B
.
A
has a 'magic number' in the header of d4 c3 b2 a1
, B
has a 'magic number' in the header of 4d 3c b2 a1
. According to the wireshark documentation (http://wiki.wireshark.org/Development/LibpcapFileFormat), only 0xd4c3b2a1
and 0xa1b2c3d4
are valid magic numbers, which leads me to think that B is not a valid magic number.
Running file
on linux backs this up, with the output of file A
being:
tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
file B
simply gives:
data
It looks like that whatever wrote B
wrote it in a 'swapped' (little-endian) format, but wrote the forst twp bytes with the nibbles the wrong way round. Given that I'd expect a big-endian system to write the whole int32 the other way around and not the individual bytes, giving a magic number of 1a 2b 3c 4d
.
Is B
a valid file? If so, why? Can different systems write both 32-bit ints and the individual nibbles in a byte in an arbitrary order?
What's the difference between a PCAP file with a magic number of "0x4d3cb2a1" and "0xd4c3b2a1"?
A pcap file with a magic number of 0xa1b23c4d or 0x4d3cb2a1 is a pcap file in which the packet time stamps are in seconds and nanoseconds.
A pcap file with a magic number of 0xa1b2c3d4 or 0xd4c3b2a1 is a "regular" pcap file in which the packet time stamps are in seconds and microseconds.
Where did you get file B? The only standard version of libpcap that writes files in "nanosecond-resolution" format is the version on the trunk of the libpcap Git tree, and that would only happen if the program using libpcap were reading another "nanosecond-resolution" format or explicitly requesting nanosecond-resolution time stamps from the network adapter (currently supported only on Linux, and probably requires a sufficiently recent kernel). That's also the only version that can read them. Wireshark won't produce them by default, although recent versions of Wireshark can read them.
这篇关于魔术数为“ 0x4d3cb2a1”的PCAP文件与PCAP文件有什么区别?和“ 0xd4c3b2a1”?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!