我在Mac OS上运行tcpdump,我注意到它以PCAP-NG格式保存文件(前4个字节为0A 0D 0D 0A)。有没有办法强迫它使用旧的PCAP?
软件版本:
tcpdump version 4.3.0 -- Apple version 56
libpcap version 1.3.0 - Apple version 41
PS。 我不确定是否与TCPDump或libpcap有关。
答案 0 :(得分:1)
Mavericks的tcpdump手册页说:
-i Listen on interface.
If the -D flag is supported, an interface number as printed by
that flag can be used as the interface argument.
On Darwin systems version 13 or later, when the interface is
unspecified, tcpdump will use a pseudo interface to capture
packets on a set of interfaces determined by the kernel
(excludes by default loopback and tunnel interfaces).
Alternatively, to capture on more than one interface at a time,
one may use "pktap" as the interface parameter followed by an
optional list of comma separated interface names to include.
For example, to capture on the loopback and en0 interface:
tcpdump -i pktap,lo0,en0
An interface argument of "all" or "pktap,all" can be used to
capture packets from all interfaces, including loopback and tun-
nel interfaces.
A pktap pseudo interface provides for packet metadata using the
default PKTAP data link type and files are written in the Pcap-
ng file format. The RAW data link type must be used to force to
use the legacy pcap-savefile(5) file format with a ptkap pseudo
interface. Note that captures on a ptkap pseudo interface will
not be done in promiscuous mode.
An interface argument of "iptap" can be used to capture packets
from at the IP layer. This capture packets as they are passed
to the input and output routines of the IPv4 and IPv6 protocol
handlers of the networking stack. Note that captures will not
be done in promiscuous mode.
因此您需要指定要捕获的接口。
请注意,可追溯到Lion的OS X版本,较新版本的FreeBSD / NetBSD / DragonFly BSD以及许多Linux发行版的较新版本包括libpcap 1.1.1或更高版本,这意味着使用libpcap读取捕获文件的程序可以阅读许多pcap-ng文件。 Wireshark也能够在几个版本中阅读它们。
答案 1 :(得分:0)
还有一个应用程序CocoaPacketAnalyzer,它读取pcap文件,但读取 不是pcap-NG 文件。有一个网页https://pcapng.com,该网页会将一个小的pcap-NG文件转换为较旧的格式。但是,如果您正在捕获密码或Web服务器的交互,或者通常在乎安全性,请当心在互联网上发布数据包捕获!