📄 pcap.txt
字号:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IfRecv | | (high + low) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IfDrop | | (high + low) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FilterAccept | | (high + low) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OSDrop | | (high + low) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | UsrDelivered | | (high + low) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface ID | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Options (variable) / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 8: Interface Statistics Block format. The fields have the following meaning: o IfRecv: number of packets received from the interface during the capture. This number is reported as a 64 bits value, in which the most significat bits are located in the first four bytes of the field. o IfDrop: number of packets dropped by the interface during the capture due to lack of resources. o FilterAccept: number of packets accepeted by filter during current capture. o OSDrop: number of packets dropped by the operating system during the capture. o UsrDelivered: number of packets delivered to the user. UsrDelivered can be different from the value 'FilterAccept - OSDropped' because some packets could still lay in the OS buffers when the capture ended.Degioanni & Risso Expires August 30, 2004 [Page 19]
Internet-Draft PCAP New Generation Dump File Format March 2004 o Interface ID: reference to an Interface Description Block. o Reserved: Reserved to future use. o Options: optionally, a list of options (formatted according to the rules defined in Section 4) can be present. In addiction to the options defined in Section 4, the following options are valid within this block: +----------------+----------------+----------------+----------------+ | Name | Code | Length | Description | +----------------+----------------+----------------+----------------+ | isb_starttime | 2 | 8 | Time in which | | | | | the capture | | | | | started; time | | | | | will be stored | | | | | in two blocks | | | | | of four bytes | | | | | each, | | | | | containing the | | | | | timestamp in | | | | | seconds and | | | | | nanoseconds. | | | | | | | isb_endtime | 3 | 8 | Time in which | | | | | the capture | | | | | started; time | | | | | will be stored | | | | | in two blocks | | | | | of four bytes | | | | | each, | | | | | containing the | | | | | timestamp in | | | | | seconds and | | | | | nanoseconds. | +----------------+----------------+----------------+----------------+Degioanni & Risso Expires August 30, 2004 [Page 20]
Internet-Draft PCAP New Generation Dump File Format March 20044. Options Almost all blocks have the possibility to embed optional fields. Optional fields can be used to insert some information that may be useful when reading data, but that it is not really needed for packet processing. Therefore, each tool can be either read the content of the optional fields (if any), or skip them at once. Skipping all the optional fields at once is straightforward because most of the blocks have a fixed length, therefore the field Block Length (present in the General Block Structure, see Section 2.1) can be used to skip everything till the next block. Options are a list of Type - Length - Value fields, each one containing a single value: o Option Type (2 bytes): it contains the code that specifies the type of the current TLV record. Option types whose Most Significant Bit is equal to one are reserved for local use; therefore, there is no guarantee that the code used is unique among all capture files (generated by other applications). In case of vendor-specific extensions that have to be identified uniquely, vendors must request an Option Code whose MSB is equal to zero. o Option Length (2 bytes): it contains the length of the following 'Option Value' field. o Option Value (variable length): it contains the value of the given option. The length of this field as been specified by the Option Length field. Options may be repeated several times (e.g. an interface that has several IP addresses associated to it). The option list is terminated by a special code which is the 'End of Option'. The format of the optional fields is shown in Figure 9.Degioanni & Risso Expires August 30, 2004 [Page 21]
Internet-Draft PCAP New Generation Dump File Format March 2004 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Code | Option Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Value | | /* variable length, byte-aligned */ | | + + + + + + + + + + + + + + + + + + + + + + + + + | / / / | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / . . . other options . . . / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Code == opt_endofopt | Option Length == 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 9: Options format. The following codes can always be present in any optional field: +----------------+----------------+----------------+----------------+ | Name | Code | Length | Description | +----------------+----------------+----------------+----------------+ | opt_endofopt | 0 | 0 | End of | | | | | options: it is | | | | | used to | | | | | delimit the | | | | | end of the | | | | | optional | | | | | fields. This | | | | | block cannot | | | | | be repeated | | | | | within a given | | | | | list of | | | | | options. | | | | | | | opt_comment | 1 | variable | Comment: it is | | | | | an ascii | | | | | string | | | | | containing a | | | | | comment that | | | | | is associated | | | | | to the current | | | | | block. | +----------------+----------------+----------------+----------------+Degioanni & Risso Expires August 30, 2004 [Page 22]
Internet-Draft PCAP New Generation Dump File Format March 20045. Experimental Blocks (deserved to a further investigation)5.1 Other Packet Blocks (experimental) Can some other packet blocks (besides the two described in the previous paragraphs) be useful?5.2 Compression Block (experimental) The Compression Block is optional. A file can contain an arbitrary number of these blocks. A Compression Block, as the name says, is used to store compressed data. Its format is shown in Figure 10. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Compr. Type | | +-+-+-+-+-+-+-+-+ | | | | Compressed Data | | | | /* variable length, byte-aligned */ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 10: Compression Block format. The fields have the following meaning: o Compression Type: specifies the compression algorithm. Possible values for this field are 0 (uncompressed), 1 (Lempel Ziv), 2 (Gzip), other?? Probably some kind of dumb and fast compression algorithm could be effective with some types of traffic (for example web), but which? o Compressed Data: data of this block. Once decompressed, it is made of other blocks.5.3 Encryption Block (experimental) The Encryption Block is optional. A file can contain an arbitrary number of these blocks. An Encryption Block is used to sotre encrypted data. Its format is shown in Figure 11.Degioanni & Risso Expires August 30, 2004 [Page 23]
Internet-Draft PCAP New Generation Dump File Format March 2004 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encr. Type | | +-+-+-+-+-+-+-+-+ | | | | Compressed Data | | | | /* variable length, byte-aligned */ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 11: Encryption Block format. The fields have the following meaning: o Compression Type: specifies the encryption algorithm. Possible values for this field are ??? NOTE: this block should probably contain other fields, depending on the encryption algorithm. To be define precisely. o Encrypted Data: data of this block. Once decripted, it consists of other blocks.5.4 Fixed Length Block (experimental) The Fixed Length Block is optional. A file can contain an arbitrary number of these blocks. A Fixed Length Block can be used to optimize the access to the file. Its format is shown in Figure 12. A Fixed Length Block stores records with constant size. It contains a set of Blocks (normally Packet Blocks or Simple Packet Blocks), of wihich it specifies the size. Knowing this size a priori helps to scan the file and to load some portions of it without truncating a block, and is particularly useful with cell-based networks like ATM.Degioanni & Risso Expires August 30, 2004 [Page 24]
Internet-Draft PCAP New Generation Dump File Format March 2004 0 1 2 3⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -