我有以下格式的pcap框架内容:
[{frame,1,
{1491,213,861700},
87,87,false,
<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,18,
106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,0,0,2,
0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,97,108,0,
0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>},
{ethernet,<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,
18,106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,
0,0,2,0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,
97,108,0,0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>}]
我希望将其转换为可读格式(我的意思是将整数的二进制保持列表转换为Wireshark所代表的实际表示形式)。我的最终目标是将可读内容包装成二进制文件并以JSON值的形式共享。
预期的输出格式如下:
0x0000: 4500 0049 442c 0000 ff11 126a ac10 d801 E..ID,.....j....
0x0010: e000 00fb 14e9 14e9 0035 8b0e 0000 0000 .........5......
0x0020: 0002 0000 0000 0000 045f 6970 7004 5f74 ........._ipp._t
0x0030: 6370 056c 6f63 616c 0000 0c00 0105 5f69 cp.local......_i
0x0040: 7070 73c0 1100 0c00 01 pps......
答案 0 :(得分:4)
年龄前,我正在使用pcap数据并编写Enet来解码各种常见的数据包类型。
您可以使用enet_codec:decode(eth, PktData, [{decode_types, all}])将pcap帧中的数据转换为可读包:
Data = [{frame,1,
{1491,213,861700},
87,87,false,
<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,18,
106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,0,0,2,
0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,97,108,0,
0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>},
{ethernet,<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,
18,106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,
0,0,2,0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,
97,108,0,0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>}].
rr("include/enet_types.hrl"). % Load record definitions into the shell
PktData = element(7, hd(Data)). % Grab the ethernet frame binary
rp(enet_codec:decode(eth, element(7, hd(Data)), [{decode_types, all}])). % Decode and print
#eth{src = "00:50:56:C0:00:08",dst = "01:00:5E:00:00:FB",
type = ipv4,
data = #ipv4{vsn = 4,hlen = 5,diffserv = 0,totlen = 73,
id = 17452,flags = [],frag_offset = 0,ttl = 255,proto = udp,
hdr_csum = correct,
src = <<172,16,216,1>>,
dst = <<224,0,0,251>>,
options = [],
data = #udp{src_port = <<"mdns">>,dst_port = <<"mdns">>,
length = 53,
csum = {incorrect,35598},
data = [{dns_header,0,0,0,0,0,0,0,0,0},
[{dns_query,"_ipp._tcp.local",ptr,in},
{dns_query,"_ipps._ipps._tcp.local",ptr,in}],
[],[],[]]}}}
Wireshark输出相反地获取原始数据包数据(或者实际上几乎任何你需要的二进制数据),并产生带有偏移的文本输出,以十六进制打印的字节,以及十六进制字节的可打印部分的ascii表示。 / p>
enet包含enet_if_dump:hexdump/,它执行相同的操作,因此您可以运行:
Pkt = <<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,
18,106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,
0,0,2,0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,
97,108,0,0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>.
% This gives you a giant iolist with the formatted Wireshark style hexdump.
enet_if_dump:hexdump(Pkt).
% To inspect it you need to then do something like:
io:format("~s~n", [enet_if_dump:hexdump(Pkt)]). % which produces:
0x0000: 0100 5e00 00fb 0050 56c0 0008 0800 4500 ..^....PV.....E.
0x0010: 0049 442c 0000 ff11 126a ac10 d801 e000 .ID,.....j......
0x0020: 00fb 14e9 14e9 0035 8b0e 0000 0000 0002 .......5........
0x0030: 0000 0000 0000 045f 6970 7004 5f74 6370 ......._ipp._tcp
0x0040: 056c 6f63 616c 0000 0c00 0105 5f69 7070 .local......_ipp
0x0050: 73c0 1100 0c00 1 s......