📄 pcap.txt
字号:
| | | | name of the | | | | | operating | | | | | system of the | | | | | machine that | | | | | hosts this | | | | | interface. | | | | | This can be | | | | | different from | | | | | the same | | | | | information | | | | | that can be | | | | | contained by | | | | | the Section | | | | | Header Block | | | | | (Section 3.1) | | | | | because the | | | | | capture can | | | | | have been done | | | | | on a remote | | | | | machine. | +----------------+----------------+----------------+----------------+ Table 23.3 Packet Block (optional) A Packet Block is the standard container for storing the packets coming from the network. The Packet Block is optional because packets can be stored either by means of this block or the Simple Packet Block, which can be used to speed up dump generation. The format of a packet block is shown in Figure 5.Degioanni & Risso Expires August 30, 2004 [Page 13]
Internet-Draft PCAP New Generation Dump File Format March 2004 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface ID | Drops Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp (High) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp (Low) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Captured Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Packet Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Packet Data | | | | /* variable length, byte-aligned */ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Options (variable) / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 5: Packet Block format. The Packet Block has the following fields: o Interface ID: Specifies the interface this packet comes from, and corresponds to the ID of one of the Interface Description Blocks present in this section of the file (see Figure 4). o Drops Count: a local drop counter. It specified the number of packets lost (by the interface and the operating system) between this packet and the preceding one. The value xFFFF (in hexadecimal) is reserved for those systems in which this information is not available. o Timestamp (High): the most significative part of the timestamp. in standard Unix format, i.e. from 1/1/1970. o Timestamp (Low): the less significative part of the timestamp. The way to interpret this field is specified by the 'ts_accur' option (see Figure 4) of the Interface Description block referenced by this packet. If the Interface Description block does not contain a 'ts_accur' option, then this field is expressed in microseconds. o Captured Len: number of bytes captured from the packet (i.e. theDegioanni & Risso Expires August 30, 2004 [Page 14]
Internet-Draft PCAP New Generation Dump File Format March 2004 length of the Packet Data field). It will be the minimum value among the actual Packet Length and the snapshot length (defined in Figure 4). o Packet Len: actual length of the packet when it was transmitted on the network. Can be different from Captured Len if the user wants only a snapshot of the packet. o Packet Data: the data coming from the network, including link-layer headers. The length of this field is Captured Len. The format of the link-layer headers depends on the LinkType field specified in the Interface Description Block (see Section 3.2) and it is specified in Appendix XXX (TODO). o Options: optionally, a list of options (formatted according to the rules defined in Section 4) can be present.3.4 Simple Packet Block (optional) The Simple Packet Block is a lightweight container for storing the packets coming from the network. Its presence is optional. A Simple Packet Block is similar to a Packet Block (see Section 3.3), but it is smaller, simpler to process and contains only a minimal set of information. This block is preferred to the standard Packet Block when performance or space occupation are critical factors, such as in sustained traffic dump applications. A capture file can contain both Packet Blocks and Simple Packet Blocks: for example, a capture tool could switch from Packet Blocks to Simple Packet Blocks when the hardware resources become critical. The Simple Packet Block does not contain the Interface ID field. Therefore, it must be assumed that all the Simple Packet Blocks have been captured on the interface previously specified in the Interface Description Block. Figure 6 shows the format of the Simple Packet Block.Degioanni & Risso Expires August 30, 2004 [Page 15]
Internet-Draft PCAP New Generation Dump File Format March 2004 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Packet Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Packet Data | | | | /* variable length, byte-aligned */ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 6: Simple Packet Block format. The Packet Block has the following fields: o Packet Len: actual length of the packet when it was transmitted on the network. Can be different from captured len if the packet has been truncated. o Packet data: the data coming from the network, including link-layers headers. The length of this field can be derived from the field Block Total Length, present in the Block Header. The Simple Packet Block does not contain the timestamp because this is one of the most costly operations on PCs. Additionally, there are applications that do not require it; e.g. an Intrusion Detection System is interested in packets, not in their timestamp. The Simple Packet Block is very efficient in term of disk space: a snapshot of length 100 bytes requires only 16 bytes of overhead, which corresponds to an efficiency of more than 86%.3.5 Name Resolution Block (optional) The Name Resolution Block is used to support the correlation of numeric addresses (present in the captured packets) and their corresponding canonical names and it is optional. Having the literal names saved in the file, this prevents the need of a name resolution in a delayed time, when the association between names and addresses can be different from the one in use at capture time. Moreover, The Name Resolution Block avoids the need of issuing a lot of DNS requests every time the trace capture is opened, and allows to have name resolution also when reading the capture with a machine not connected to the network. The format of the Name Resolution Block is shown in Figure 7.Degioanni & Risso Expires August 30, 2004 [Page 16]
Internet-Draft PCAP New Generation Dump File Format March 2004 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record Type | Record Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Record Value | | /* variable length, byte-aligned */ | | + + + + + + + + + + + + + + + + + + + + + + + + + | | | | | +-+-+-+-+-+-+-+-+ + + + + + + + + + + + + + + + + + + + + + + + + . . . other records . . . | Record Type == end_of_recs | Record Length == 00 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Options (variable) / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 7: Name Resolution Block format. A Name Resolution Block is a zero-terminated list of records (in the TLV format), each of which contains an association between a network address and a name. There are three possible types of records: +----------------+----------------+----------------+----------------+ | Name | Code | Length | Description | +----------------+----------------+----------------+----------------+ | end_of_recs | 0 | 0 | End of records | | | | | | | ip4_rec | 1 | Variable | Specifies an | | | | | IPv4 address | | | | | (contained in | | | | | the first 4 | | | | | bytes), | | | | | followed by | | | | | one or more | | | | | zero-terminate | | | | | d strings | | | | | containing the | | | | | DNS entries | | | | | for that | | | | | address. | | | | | | | ip6_rec | 1 | Variable | Specifies an | | | | | IPv6 address | | | | | (contained in | | | | | the first 16 | | | | | bytes), |Degioanni & Risso Expires August 30, 2004 [Page 17]
Internet-Draft PCAP New Generation Dump File Format March 2004 | | | | followed by | | | | | one or more | | | | | zero-terminate | | | | | d strings | | | | | containing the | | | | | DNS entries | | | | | for that | | | | | address. | +----------------+----------------+----------------+----------------+ Table 3 After the list or Name Resolution Records, optionally, a list of options (formatted according to the rules defined in Section 4) can be present. A Name Resolution Block is normally placed at the beginning of the file, but no assumptions can be taken about its position. Name Resolution Blocks can be added in a second time by tools that process the file, like network analyzers. In addiction to the options defined in Section 4, the following options are valid within this block: +----------------+----------------+----------------+----------------+ | Name | Code | Length | Description | +----------------+----------------+----------------+----------------+ | ns_dnsname | 2 | Variable | An ascii | | | | | string | | | | | containing the | | | | | name of the | | | | | machine (DNS | | | | | server) used | | | | | to perform the | | | | | name | | | | | resolution. | +----------------+----------------+----------------+----------------+3.6 Interface Statistics Block (optional) The Interface Statistics Block contains the capture statistics for a given interface and it is optional. The statistics are referred to the interface defined in the current Section identified by the Interface ID field. The format of the Interface Statistics Block is shown in Figure 8.Degioanni & Risso Expires August 30, 2004 [Page 18]
Internet-Draft PCAP New Generation Dump File Format March 2004⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -