(20:36:49)
Reprinted token
Tags: Miscellaneous |
Category: Professional |
The first is the tcpdump file format.
When you use the tcpdump command to capture data packets in Windows or Linux, you will get the tcpdump file in the following format:
File header | data header | link layer data | ......
1. File header: each file starts with a 24-byte file header. The first four bytes are marked as "A1 B2 C3 D4" or "D4 C3 B2 A1" in the tcpdump file ".
2. Data packet header | link layer data: after the file header, the data packet header | link layer data is a group of such data.
3. The data header is 16 bytes in length. It is not the data actually transmitted on the network. It contains information such as the packet interception time. The 8-11 and 12-15 bytes of the data packet header (according to programming conventions, the first byte is 0 bytes) indicate the length of the next link layer data packet. 8-11 bytes are the theoretical length, and 12-15 bytes are the actual length. If there is truncation, the two may be different. If the-s 0 parameter is used in the tcpdump command, 8-11 bytes and 12-15 bytes are equal.
From the end of the data packet header to the number of bytes specified in length, it is the link layer data packet actually transmitted in the network. Next, it is the next data packet header.
4. Link layer data
The link layer data packet format is related to the transmission method. For LAN shared internet access, the RFC894 Ethernet protocol is used. In rare cases, the RFC 1042 and 802.3 protocols are used. For Modem dial-up Internet access, it is the SLIP protocol of RFC 1055; if it is ADSL, it is the PPP protocol of RFC 1548. RFC894/RFC 1042/RFC 1548 are in the following formats:
Packet header | IP packet | (packet tail)
For RFC894, the header length is 14 bytes; ------> LAN access;
For RFC1042, the header length is 22 bytes;
For RFC1548, the header length is 5 bytes. ------> access through ADSL;
The packet header is an IP packet.
5. IP packet: IP packet format: IP packet header | IP packet data
1) length of the IP header: the length of the IP header is determined by the 0th bytes of the IP packet. If the IPv4 protocol is used, the 0th bytes of the IP header are always "45" (the four-byte '4' indicates the IPv4 protocol; the four-byte is '5 ', the length of the IP address header is 5 × 4 = 20 bytes, and the header length is 4 bytes ).
2) IP packet data: the data of the IP packet is the data part of the IP packet.
The length of the data part of the IP packet, expressed by the second and second bytes of the IP packet header (the first byte is 0th bytes ).
IP packet data, that is, UDP;
6. UDP packet format: UDP packet header | UDP packet data
1) UDP header: fixed 8 bytes. The 4-5 bytes are the UDP packet length (including 8-byte headers );
2) UDP packet data: This part is divided into the specific information transmitted over the network, encryption, decryption, and so on are all processing this part of data. Before processing this part of data, you need to strip the original data of the UDP packet layer by layer. When writing a new file, pay attention to the length of the new data, rewrite the data packet header to indicate the length of the byte, the IP packet header to indicate the length of the byte, and the UDP packet header to indicate the length of the byte. At the same time, pay attention to the byte order when writing (large or small );
The format of the. cap file saved by pcap_dump () should also be stored in tcpdump format:
The first is the 4-byte file mark: D4 C3 B2 A1, or an integer 0xA1B2C3D4, which is saved in the host order (the high position is before the low position.
The next 4 bytes will look like a version number, but I don't know how the version number is arranged. My computer is installed with version 4.1Beta4, and the 4 bytes will be: 02 00 04 00. In addition, when Wireshark identifies this field, the first two bytes are considered to be the primary version number. I tried to change these four bytes to 01 00 04 00, when the file is opened again, the following error occurs: main version 1 unsupported .......
Next is the 8-byte 00, nothing to say.
The next step is to record the data length captured by Winpcap during packet capture, that is, the second parameter of pcap_open () function.Snaplen. For exampleSnaplen= 65535, the four bytes become FF 00.
Then, the network type is recorded in 4 bytes. For example, 1 in decimal format indicates Ethernet, 6 indicates the ring-based network, and 15 indicates the hardware format of Frame Relay. Generally, in an Ethernet environment, the four bytes are 01 00 00.
The above fields are part of the file header, followed by data packets. Each packet has a corresponding 16-byte Mark Information. The first 8 bytes are timestamps, and the last 4 bytes are the captured data length. For example, the actual length of a data packet is 60 bytes, however, because the value of the second parameter snaplen of the pcap_open () function is set to 50, the captured length is 50. If snaplen is set to 65535, the captured data packet length should be 60 in length, followed by the actual length of the data packet, expressed in 4 bytes. Finally, the full text of the data packet is recorded from the link layer data. After a data packet is complete, it is the next data packet until all data packet records are complete. In fact, the two parameters struct pcap_pkthdr * header and const u_char * pkt_data of the packet capture function are written to the file.
File format saved by pcap_dump () of pcap