pcap_open_dead 模拟完整的 UDP 数据包捕获 [英] pcap_open_dead to simulate full UDP packets capture

问题描述

跟进我关于创建 pcap 文件的问题，我现在想模拟保存完整的 UDP 数据包，包括以太网、IP 和 UDP 标头.

Following up on my question about pcap file creation, I now would like to simulate the saving of a full UDP packet, including the Ethernet, IP and UDP headers.

我应该使用哪种 DLT_XXX 类型?我相信 pcap_dump() 在使用 pcap_open_dead(DLT_RAW, 65535) 时 跳过 以太网标头.

Which DLT_XXX type should I use? I believe pcap_dump() skips the Ethernet header when using pcap_open_dead(DLT_RAW, 65535).

推荐答案

如果你想模拟一个完整的 UDP-over-IP-over-Ethernet 数据包，你需要 DLT_EN10MB(10MB"名字是历史的；DLT_EN10MB 真正的意思是所有类型的以太网").

If you want to simulate a full UDP-over-IP-over-Ethernet packet, you want DLT_EN10MB (the "10MB" in the name is historical; DLT_EN10MB really means "all types of Ethernet").

(DLT_RAW 适用于最低级别标头用于 IP 的数据包；它不会跳过以太网标头，这意味着您不必提供以太网标头，并且在事实上，它要求您不提供一个 - 如果您确实提供一个，它将被写入文件，这会混淆读取文件的程序，因为他们会期望数据包以 IPv4 或 IPv6 标头开头，而不是以太网标头.)

(DLT_RAW is for packets where the lowest-level headers are for IP; it doesn't skip the Ethernet header, it means that you don't have to provide an Ethernet header and, in fact, it requires that you don't provide one - if you do provide one, it'll be written to the file, which will confuse programs reading the file, as they'll expect the packets to begin with an IPv4 or IPv6 header, not an Ethernet header.)

这篇关于pcap_open_dead 模拟完整的 UDP 数据包捕获的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！