tcpdump file format
The file has a global header containing some global information followed by zero or more records for each captured packet, looking like this:
- Global Header
- Packet Header
- Packet Data
Global Header
typedef struct pcap_hdr_s {
guint32 magic_number; /* magic number */
guint16 version_major; /* major version number */
guint16 version_minor; /* minor version number */
gint32 thiszone; /* GMT to local correction */
guint32 sigfigs; /* accuracy of timestamps */
guint32 snaplen; /* max length of captured packets, in octets */
guint32 network; /* data link type */
} pcap_hdr_t;
示例:
xd4xc3xb2xa1x02x00x04x00x00x00x00x00x00x00x00x00x00x00x04x00x01x00x00x00
Record (Packet) Header
typedef struct pcaprec_hdr_s {
guint32 ts_sec; /* timestamp seconds */
guint32 ts_usec; /* timestamp microseconds */
guint32 incl_len; /* number of octets of packet saved in file */
guint32 orig_len; /* actual length of packet */
} pcaprec_hdr_t;
Packet Data
The actual packet data will immediately follow the packet header as a data blob of incl_len bytes without a specific byte alignment.
查看tcpdump 数据
sudo tcpdump -c 1 -w test.pcap tcp查看Global Header
hexdump -C -n 24 test.pcap
00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 04 00 01 00 00 00 |........|
00000018
查看Record (Packet) Header
hexdump -C -s 24 -n 16 test.pcap
00000018 54 f0 69 63 ab 52 0b 00 42 00 00 00 42 00 00 00 |T.ic.R..B...B...|
00000028
查看包数据Packet Data
hexdump -C -s 40 test.pcap
00000028 b8 ac 6f 3b 20 d0 38 f3 ab 09 44 1c 08 00 45 00 |..o; .8...D...E.|
00000038 00 34 3e c0 40 00 40 06 76 6b c0 a8 02 40 c0 a8 |.4>.@.@.vk...@..|
00000048 02 08 9c 08 1f 92 5e 7b f8 00 12 7f 1e 3e 80 11 |......^{.....>..|
00000058 01 f5 85 bf 00 00 01 01 08 0a 20 82 fb f2 d0 6a |.......... ....j|
00000068 41 0e |A.|
0000006a
本文链接地址:https://const.net.cn/732.html