📄 pcap.txt
字号:
TODO Probably we have to specify something more here. Is what we're saying enough to avoid any kind of ambiguity?.Degioanni & Risso Expires August 30, 2004 [Page 7]
Internet-Draft PCAP New Generation Dump File Format March 20043. Block Definition This section details the format of the body of the blocks currently defined.3.1 Section Header Block (mandatory) The Section Header Block is mandatory. It identifies the beginning of a section of the capture dump file. Its format is shown in Figure 3. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Magic | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Major | Minor | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Options (variable) / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: Section Header Block format. The meaning of the fields is: o Magic: magic number, whose value is the hexadecimal number 0x1A2B3C4D. This number can be used to distinguish section that have been saved on little-endian machines from the one saved on big-endian machines. o Major: number of the current mayor version of the format. Current value is 1. o Minor: number of the current minor version of the format. Current value is 0. o Options: optionally, a list of options (formatted according to the rules defined in Section 4) can be present. Aside form the options defined in Section 4, the following options are valid within this block: +----------------+----------------+----------------+----------------+ | Name | Code | Length | Description | +----------------+----------------+----------------+----------------+ | Hardware | 2 | variable | An ascii | | | | | string |Degioanni & Risso Expires August 30, 2004 [Page 8]
Internet-Draft PCAP New Generation Dump File Format March 2004 | | | | containing the | | | | | description of | | | | | the hardware | | | | | used to create | | | | | this section. | | | | | | | Operating | 3 | variable | An ascii | | System | | | string | | | | | containing the | | | | | name of the | | | | | operating | | | | | system used to | | | | | create this | | | | | section. | | | | | | | User | 3 | variable | An ascii | | Application | | | string | | | | | containing the | | | | | name of the | | | | | application | | | | | used to create | | | | | this section. | +----------------+----------------+----------------+----------------+ Table 1 The Section Header Block does not contain data but it rather identifies a list of blocks (interfaces, packets) that are logically correlated. This block does not contain any reference to the size of the section it is currently delimiting, therefore the reader cannot skip a whole section at once. In case a section must be skipped, the user has to repeatedly skip all the blocks contained within it; this makes the parsing of the file slower but it permits to append several capture dumps at the same file.3.2 Interface Description Block (mandatory) The Interface Description Block is mandatory. This block is needed to specify the characteristics of the network interface on which the capture has been made. In order to properly associate the captured data to the corresponding interface, the Interface Description Block must be defined before any other block that uses it; therefore, this block is usually placed immediately after the Section Header Block. An Interface Description Block is valid only inside the section which it belongs to. The structure of a Interface Description Block is shown in Figure 4.Degioanni & Risso Expires August 30, 2004 [Page 9]
Internet-Draft PCAP New Generation Dump File Format March 2004 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface ID | LinkType | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SnapLen | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Options (variable) / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 4: Interface Description Block format. The meaning of the fields is: o Interface ID: a progressive number that identifies uniquely any interface inside current section. Two Interface Description Blocks can have the same Interface ID only if they are in different sections of the file. The Interface ID is referenced by the packet blocks. o LinkType: a value that defines the link layer type of this interface. o SnapLen: maximum number of bytes dumped from each packet. The portion of each packet that exceeds this value will not be stored in the file. o Options: optionally, a list of options (formatted according to the rules defined in Section 4) can be present. In addition to the options defined in Section 4, the following options are valid within this block: +----------------+----------------+----------------+----------------+ | Name | Code | Length | Description | +----------------+----------------+----------------+----------------+ | if_name | 2 | Variable | Name of the | | | | | device used to | | | | | capture data. | | | | | | | if_IPv4addr | 3 | 8 | Interface | | | | | network | | | | | address and | | | | | netmask. | | | | | | | if_IPv6addr | 4 | 17 | Interface |Degioanni & Risso Expires August 30, 2004 [Page 10]
Internet-Draft PCAP New Generation Dump File Format March 2004 | | | | network | | | | | address and | | | | | prefix length | | | | | (stored in the | | | | | last byte). | | | | | | | if_MACaddr | 5 | 6 | Interface | | | | | Hardware MAC | | | | | address (48 | | | | | bits). | | | | | | | if_EUIaddr | 6 | 8 | Interface | | | | | Hardware EUI | | | | | address (64 | | | | | bits), if | | | | | available. | | | | | | | if_speed | 7 | 8 | Interface | | | | | speed (in | | | | | bps). | | | | | | | if_tsaccur | 8 | 1 | Precision of | | | | | timestamps. If | | | | | the Most | | | | | Significant | | | | | Bit is equal | | | | | to zero, the | | | | | remaining bits | | | | | indicates the | | | | | accuracy as as | | | | | a negative | | | | | power of 10 | | | | | (e.g. 6 means | | | | | microsecond | | | | | accuracy). If | | | | | the Most | | | | | Significant | | | | | Bit is equal | | | | | to zero, the | | | | | remaining bits | | | | | indicates the | | | | | accuracy as as | | | | | negative power | | | | | of 2 (e.g. 10 | | | | | means 1/1024 | | | | | of second). If | | | | | this option is | | | | | not present, a |Degioanni & Risso Expires August 30, 2004 [Page 11]
Internet-Draft PCAP New Generation Dump File Format March 2004 | | | | precision of | | | | | 10^-6 is | | | | | assumed. | | | | | | | if_tzone | 9 | 4 | Time zone for | | | | | GMT support | | | | | (TODO: specify | | | | | better). | | | | | | | if_flags | 10 | 4 | Interface | | | | | flags. (TODO: | | | | | specify | | | | | better. | | | | | Possible | | | | | flags: | | | | | promiscuous, | | | | | inbound/outbou | | | | | nd, traffic | | | | | filtered | | | | | during | | | | | capture). | | | | | | | if_filter | 11 | variable | The filter | | | | | (e.g. "capture | | | | | only TCP | | | | | traffic") used | | | | | to capture | | | | | traffic. The | | | | | first byte of | | | | | the Option | | | | | Data keeps a | | | | | code of the | | | | | filter used | | | | | (e.g. if this | | | | | is a libpcap | | | | | string, or BPF | | | | | bytecode, and | | | | | more). More | | | | | details about | | | | | this format | | | | | will be | | | | | presented in | | | | | Appendix XXX | | | | | (TODO). | | | | | | | if_opersystem | 12 | variable | An ascii | | | | | string | | | | | containing the |Degioanni & Risso Expires August 30, 2004 [Page 12]
Internet-Draft PCAP New Generation Dump File Format March 2004⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -