在pcap文件中收集数据包长度

时间:2010-07-06 14:24:49

标签: pcap

大家好我如何收集pcap文件中每个数据包的数据包长度?非常感谢

2 个答案:

答案 0 :(得分:7)

我建议采用一种高科技方法,很少有人知道:阅读文档。

man pcap告诉我们实际上有两种不同的长度:

              caplen a  bpf_u_int32  giving the number of bytes of the packet that are
                     available from the capture

              len    a bpf_u_int32 giving the length of the packet,  in  bytes  (which
                     might  be  more  than the number of bytes available from the cap-
                     ture, if the length of the packet is larger than the maximum num-
                     ber of bytes to capture)

C中的一个例子:

/* Grab a packet */
                packet = pcap_next(handle, &header);
                if (packet == NULL) {   /* End of file */
                        break;
                }
                printf ("Got a packet with length of [%d] \n",
                                     header.len);

另一个使用pcapy library的Python:

import pcapy

reader = pcapy.open_offline("packets.pcap")

while True:
    try:
        (header, payload) = reader.next()
        print "Got a packet of length %d" % header.getlen()
    except pcapy.PcapError:
        break

答案 1 :(得分:0)

以下两个例子可以正常使用:

  • 使用C,WinPcap
  • 使用python,SCAPY

(WinPcap)(编译器CL,Microsoft VC) 我已经写了这个函数(在C中)来获取数据包大小,它工作正常。  不要忘记包含pcap.h并在编译器预处理器中设置HAVE_REMOTE 

u_int getpkt_size(char * pcapfile){

pcap_t *indesc;
char errbuf[PCAP_ERRBUF_SIZE];
char source[PCAP_BUF_SIZE];
u_int res;
struct pcap_pkthdr *pktheader;
u_char *pktdata;
u_int pktsize=0;



/* Create the source string according to the new WinPcap syntax */
if ( pcap_createsrcstr( source,         // variable that will keep the source string
                        PCAP_SRC_FILE,  // we want to open a file
                        NULL,           // remote host
                        NULL,           // port on the remote host
                        pcapfile,        // name of the file we want to open
                        errbuf          // error buffer
                        ) != 0)
{
    fprintf(stderr,"\nError creating a source string\n");
    return 0;
}

/* Open the capture file */
if ( (indesc= pcap_open(source, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errbuf) ) == NULL)
{
    fprintf(stderr,"\nUnable to open the file %s.\n", source);
    return 0;
}


/* get the first packet*/

    res=pcap_next_ex( indesc, &pktheader, &pktdata);

    if (res !=1){
        printf("\nError Reading PCAP File");
                    return 0;
            }



/* Get the packet size*/
pktsize=pktheader->len;

/* Close the input file */
pcap_close(indesc);

return pktsize;

}

Python中使用精彩SCAPY

的另一个wroking示例 
    from scapy.all import *

    pkts=rdpcap("data.pcap",1) # reading only 1 packet from the file
    OnePkt=pkts[0] 
    print len(OnePkt) # prints the length of the packet
相关问题
最新问题