创建PCAP文件 [英] Creating a pcap file
问题描述
我要UDP数据包保存到一个文件,并想用PCAP格式重用现有的各种工具(Wireshark的,tcpdump的,...)。
有在
I need to save UDP packets to a file and would like to use the pcap format to reuse the various tools available (wireshark, tcpdump, ...). There are some information in this thread but I can't find how to write the global file header 'struct pcap_file_header'.
pcap_t* pd = pcap_open_dead(DLT_RAW, 65535);
pcap_dumper_t* pdumper = pcap_dump_open(pd, filename);
struct pcap_file_header file_hdr;
file_hdr.magic_number = 0xa1b2c3d4;
file_hdr.version_major = 2;
file_hdr.version_minor = 4;
file_hdr.thiszone = 0;
file_hdr.sigfigs = 0;
file_hdr.snaplen = 65535;
file_hdr.linktype = 1;
// How do I write file_hdr to m_pdumper?
while( (len = recvmsg(sd, &msg_hdr, 0)) > 0 )
pcap_dump((u_char*)m_pdumper, &m_pcap_pkthdr, (const u_char*)&data);
我应该怎么写全局文件头?
如果没有具体的PCAP功能可用,我怎么能检索文件描述符插入用头写()?
How should I write the global file header? If there is no specific pcap function available, how can I retrieve the file descriptor to insert the header using write()?
推荐答案
您应该不需要编写头, pcap_open_dead 应该为你做。你只需要填写并编写自己的头,如果你想要写的文件,而不是直接使用 pcap_dump 和朋友。这里有一个例子这里一个简单的程序写出来与功能的PCAP文件。
You shouldn't need to write that header, pcap_open_dead should do it for you. You only need to fill out and write that header yourself if you want to write the file directly instead of using pcap_dump and friends. There's an example here of a trivial program write out a pcap file with those functions.
原来的答案,关于直接写入文件:
original answer, concerning writing the file directly:
我不记得究竟是如何工作的,但我写了一个补丁再导向前一阵子,将写出PCAP文件,你可以用它例如,
I can't remember exactly how this works, but I wrote a patch to redir a while ago that would write out pcap files, you may be able to use it as an example.
您可以找到它连接到这个Debian错误。 (错误链接固定)。
You can find it attached to this debian bug. (bug link fixed.)
有的则是伪造的以太网和IP报头,并且你正在使用 pcap_dump_open 可能不适用和 pcap_dump ,其中作为上述联补丁写出了 PCAP 文件,而无需使用任何库,但我会在这里反正情况下,它可以帮助离开这个。
Some of it is for faking the ethernet and IP headers, and may not be applicable as you're using pcap_dump_open and pcap_dump where as the patch linked above writes out the pcap file without using any libraries, but I'll leave this here anyway in case it helps.
这篇关于创建PCAP文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
