Linux cooked-mode capture 格式转换

最新推荐文章于 2025-03-19 04:36:16 发布

转载最新推荐文章于 2025-03-19 04:36:16 发布 · 1.7k 阅读

2 ·

CC 4.0 BY-SA版权

原文链接：http://www.cnblogs.com/aios/p/9545378.html

文章标签：

#操作系统

本文详细介绍了如何使用TCPdump进行网络数据包抓取，并重点讲解了-i选项与-y选项的功能区别。当使用any作为-i参数时，抓取的数据包将以Linuxcookedcapture头部形式出现，而非以太网头部。文章还提供了将Linuxcookedcapture格式转换为Ethernet格式的多种方法，包括使用tcprewrite工具的快速转换技巧。

部署运行你感兴趣的模型镜像

tcpdump抓包时，如果-i选项指定为一个网卡地址，那么抓取的数据包数据链路层是以太网头部；如果指定any，则以太网头部将被替换为linux cooked capture头部

 # tcpdump -i any -w linux_sll.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

 # tcpdump -i eth1 -w enet.pcap
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

tcpdump抓包时可以通过 -y 选项来指定data link type，不过测试发现 -i 选项指定 any 时，不支持抓获的包的data link type 为以太网 :

 # tcpdump -i any -w test.pcap -y EN10MB
tcpdump: EN10MB is not one of the DLTs supported by this device
 # tcpdump -i eth1 -w test.pcap -y EN10MB
tcpdump: data link type EN10MB
 #

这时，若需要将linux cooked capture格式的包转换为Ethernet格式，有那么几种方法：

1. 写代码读出每一个包后再改写到新文件(使用libpcap或者基于pcap头部结构体偏移)；

2. tcpdump 3.0+ 版本下，可以用tcprewrite直接改写，这应该是最快捷的方法；

DLT Plugins
As of 3.0, tcprewrite uses plugins to support different DLT/Layer 2 types. This not only makes the 
code easier to maintain, but also helps make things clearer for users regarding what is and isn't 
supported. Each plugin may support reading and/or writing packets. By default, the plugin used to 
read packets is also used for output, but you can override the output plugin using the --dlt option. 
Changing the DLT plugin allows you to convert the packets from one DLT/Layer 2 type to another type. 
This allows you for example to capture traffic on say an Ethernet interface and replay over Cisco 
HDLC or capture on a BSD Loopback interface and replay over Ethernet.

Plugins supported in output mode:

Ethernet (enet)
Cisco HDLC (hdlc)
User defined Layer 2 (user)
Plugins supported in input mode:

Ethernet
Cisco HDLC
Linux SLL
BSD Loopback
BSD Null
Raw IP
802.11
Juniper Ethernet (version >= 4.0)
Hence, if you have a pcap in one of the supported input DLT types, you can convert it to one of the 
supported output DLT type by using the --dlt=<output> option. Depending on the input DLT you may 
need to provide additional DLT plugin flags.

tcprewrite转换命令如下：

 # tcpdump -r linux_sll.pcap
reading from file linux_sll.pcap, link-type LINUX_SLL (Linux cooked)
 # tcprewrite --dlt=enet --infile=linux_sll.pcap  --outfile=enet.pcap
 # tcpdump -r enet.pcap
reading from file enet.pcap, link-type EN10MB (Ethernet)
 #

唯一有点问题的，是转换后的数据的Destination-Mac为空，对这个字段有需求的要注意下：

可以参考的网址：

https://wiki.wireshark.org/SLL

http://www.tcpdump.org/linktypes.html

http://tcpreplay.synfin.net/wiki/tcprewrite

其它：

# tips 删除vlan
# tcprewrite --enet-vlan=del --infile=enet.pcap --outfile=output.pcap

转载于:https://www.cnblogs.com/aios/p/9545378.html

您可能感兴趣的与本文相关的镜像

HunyuanVideo-Foley

语音合成

HunyuanVideo-Foley是由腾讯混元2025年8月28日宣布开源端到端视频音效生成模型，用户只需输入视频和文字，就能为视频匹配电影级音效