如何在合并为单个文件之前向众多 pcap 文件中的所有数据包添加注释 [英] How to add a comment to all packets in numerous pcap files before merging into a single file
问题描述
我正在尝试将多个 pcap 文件合并在一起进行捕获后的后期处理,但是,我需要保留有关每个数据包的源文件的信息(文件名包含有关网络分路源的信息).此信息在数据包本身的任何地方都不可用.我的想法是利用 pcapng 的便利性,它允许向数据包添加帧注释 (frame.comment),并且可以使用 editcap 以编程方式完成.我可以使用它来将文件名中的信息添加到每个数据包中,这些数据包将被传送到合并文件中.但是,editcap 似乎只允许您向特定帧添加注释 editcap -a 而不是一系列帧.手动执行此操作不是可行的选择,因为我正在处理大量大型 pcap 文件.想法?
I'm trying to merge numerous pcap files together for post-processing after capture, however, I need to retain information about the source file of each packet (the file name contains information about the network tap source). This information isn't available anywhere in the packets themselves. My idea is to use the convenience of pcapng which allows adding a frame comment (frame.comment) to a packet and which can be done programmatically using editcap. I could use this to add information from the file name to each packet that would be carried forward into the merged file. However it seems that editcap only allows you to add comments to specific frames editcap -a <framenumber>:<comment> but not a range of frames. Doing this manually isn't a viable option as I am dealing with a lot of large pcap files. Ideas?
推荐答案
这将递归地将文件名保存为每个 pcap 中每个数据包的注释.如果您只需要对一个文件执行此操作,请删除外部 for 循环.
This will save the filename as a comment to every packet in every pcap, recursively. If you only need to do this to one file, remove the outer for loop.
for f in $(find *.pcap); do
num_frames=$(capinfos -rcT "$f" | awk '{ print $NF }')
for i in $(seq 1 $num_frames); do
editcap "$f" "$f" -a "$i:$f"
done
done
find *.pcap将递归查找此目录下所有 pcap 类型的文件capinfos是一种类似于wireshark 的wireshark CLI 工具,可提供有关捕获的信息find *.pcapwill recursively find all pcap-type files in this directorycapinfosis a wireshark CLI tool like wireshark that provides info on captures
请注意,您可以动态地添加一些其他注释,例如时间戳.
Note that you could dynamically include some other comment instead, like timestamp.
这篇关于如何在合并为单个文件之前向众多 pcap 文件中的所有数据包添加注释的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
