读取保存文件时,链接类型 1 不支持入站/出站 [英] Inbound/outbound not supported on linktype 1 when reading savefiles
问题描述
从 pcap 文件中获取传入的数据包.我在 pcap_compile() 中设置了入站"过滤器,这里是部分代码.
To get incoming packet from a pcap file. I set "inbound" filter in pcap_compile() and here is partial code.
pcap = pcap_open_offline("test.pcap", errbuf);
if (pcap == NULL)
{
fprintf(stderr, "error reading pcap file: %s\n", errbuf);
exit(1);
}
char filter_exp[] = "inbound";
struct bpf_program pgm;
if (pcap_compile(pcap, &pgm, filter_exp, 0, PCAP_NETMASK_UNKNOWN) == -1) {
printf("Bad filter - %s\n", pcap_geterr(pcap));
return 1;
}
if (pcap_setfilter(pcap, &pgm) == -1) {
printf("Error setting filter - %s\n", pcap_geterr(pcap));
return 1;
}
但这里是错误信息.
错误过滤器 - 读取保存文件时链接类型 1 不支持入站/出站
Bad filter - inbound/outbound not supported on linktype 1 when reading savefiles
我只是在谷歌上搜索并找到了可能的解决方案.
I just googled and found the possible solutions.
入站"过滤器不适用于以太网链路类型(例如,熟捕获将具有它.).是否足以满足您对目标 MAC 或 IP 地址进行过滤的需求?
The "inbound" filter is not available for the Ethernet link type (a cooked capture would have it eg.). Is it sufficient for your needs to filter on destination MAC or IP address ?
源或目标 IP 地址就足够了.如果源是本地的,则它是出站的.如果目标是本地的,则它是入站的.如果两者都不是,那就是混杂的嗅探.
The source or target IP address is sufficient. If the source is local, it's outbound. If the target is local, it's inbound. If neither, it's a promiscuous sniff.
看起来唯一的方法是确定数据包的目标 IP 地址是否是本地的.但是如何从 pcap 文件中知道本地 IP 地址?
Looks like the only way is to determine if the packet's target IP address is local or not. But how to know the local IP address from a pcap file?
推荐答案
Barmar 是对的,因为您无法仅从您的 pcap 文件中确定 IP 地址是否是本地的.但是,如果您知道 pcap 不是在混杂的接口上捕获,您可以尝试猜测接口的地址.
Barmar is right in that you can't know for sure if an IP address is local from your pcap file only. However, if you know the pcap wasn't captured on a promiscuous interface, you may try to guess the address of the interface.
您可以猜测 IP 或以太网地址.以太网地址可能是最好的,因为您的 pcap 文件中可能不只有 IP 数据包.然而,您的接口的以太网地址可能不太清楚,因为网关的地址也会出现在大量数据包中.
You can either guess the IP or the Ethernet address. The Ethernet address is probably best since you may not have only IP packets in your pcap file. It may however be less clear which Ethernet address is your interface's because the gateway's address will also be in a large number of packets.
猜测接口的以太网地址
$ tshark -r tmp.pcap -T fields -e eth.src -e eth.dst | grep -Po "(\w{2}:){5}\w{2}" | sort | uniq -c
11 01:00:5e:00:00:01
41 01:00:5e:00:00:fb
11 01:00:5e:00:00:fc
27 01:00:5e:7f:ff:fa
34 00:00:00:00:00:01
31 00:00:00:00:00:fb
11815 00:00:d9:97:5b:37
905 00:00:eb:12:48:d6
11115 00:00:b0:7b:ce:08
80 ff:ff:ff:ff:ff:ff
显示每个以太网地址及其包含的数据包数量(作为源或目标).数据包数量最多的以太网地址可能是您的接口的地址.第二大的是可能网关的.
Each Ethernet address is displayed with the number of packets it's contained in (as source or destination). The Ethernet address with the largest number of packets is likely your interface's. The second largest one is likely the gateway's.
以接口地址为目的地的数据包是入站数据包,反之亦然.
Packets with the interface's address as destination are inbound packets, and vice versa.
猜测接口的IP地址
tshark -r tmp.pcap -T fields -e ip.src -e ip.dst ip | grep -Po "(\d+.){3}\d+" | sort | uniq -c
这里的原理一样,你应该看到一个IP地址有大量的数据包.这很可能是您的界面.
Same principle here, you should see one IP address with a large number of packets. That's likely your interface's.
这篇关于读取保存文件时,链接类型 1 不支持入站/出站的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
