我刚刚开始在C#中使用pcap.net,试图解析现有的pcap文件(https://download.netresec.com/pcap/maccdc-2012/maccdc2012_00000.pcap.gz)
我正在尝试过滤所有TCP数据包,但是此捕获中的许多数据似乎都在VLAN上,因此在阅读后,这是我的代码:
static long packetCount = 0;
static void Main(string[] args)
{
string input = @"C:\Testing\pcap\maccdc2012_00000.pcap";
OfflinePacketDevice offlineDevice = new OfflinePacketDevice(input);
using (PacketCommunicator communicator = offlineDevice.Open(65536, PacketDeviceOpenAttributes.Promiscuous, 1000))
{
communicator.SetFilter("tcp or (vlan and tcp)");
communicator.ReceivePackets(0, PacketHandler);
}
Debug.WriteLine("Packet count: " + packetCount);
}
private static void PacketHandler(Packet packet)
{
//Debug.WriteLine("Timestamp: " + packet.Timestamp.ToString("yyyy-MM-dd hh:mm:ss.fff") + " length: " + packet.Length + " " + packet.Ethernet.EtherType);
packetCount++;
}
我可能弄错了BPF语法,但是使用Wireshark作为比较,我看到了:
Wireshark total packets: 8635943
My program total packets: 8635943
Wireshark (tcp) filter: 8484315
My program (tcp) filter: 0
My program (tcp or (vlan and tcp)) filter: 8481053
因此,Wireshark显示的差异为151,628个数据包,而我的程序却没有。现在也许Wireshark正在做我不知道的其他事情,但是我有点困惑。
如果有人可以提供任何建议或意见,我将不胜感激。