将pcap数据包写入不带文件头的文件

时间:2018-09-04 14:59:48

标签: rust wireshark python-2.x pcap libpcap

我有一个pcap::Packet,想将其写入不带pcap文件头的文件中,并稍后在Python中添加文件头。我了解pcap::Savefile,但是很遗憾,我无法使用它,因为它会自动写入pcap文件头。

How the pcap crate writes the Packet

Description of the pcap data format

我尝试过类似的事情

extern crate pcap;

use std::{fs::OpenOptions, io::Write, mem, slice};

const DLT_IEEE802_11_RADIO: i32 = 127;
const SNAPLEN: i32 = 4096;

unsafe fn any_as_u8_slice<T: Sized>(p: &T) -> &[u8] {
    slice::from_raw_parts((p as *const T) as *const u8, mem::size_of::<T>())
}

fn main() {
    let mut capture = pcap::Capture::from_device(pcap::Device::lookup().unwrap())
        .unwrap()
        .timeout(1)
        .rfmon(true)
        .snaplen(SNAPLEN)
        .open()
        .unwrap();

    capture
        .set_datalink(pcap::Linktype(DLT_IEEE802_11_RADIO))
        .unwrap();

    let mut temp = OpenOptions::new()
        .create(true)
        .append(true)
        .open("temp.rawpcap")
        .unwrap();

    let mut count = 0;
    while count < 10 {
        match capture.next() {
            Ok(packet) => {
                count += 1;
                unsafe {
                    temp.write_all(any_as_u8_slice(packet.header)).unwrap();
                }
                temp.write_all(&packet.data).unwrap();
            }
            Err(pcap::Error::TimeoutExpired) => continue,
            Err(e) => {
                panic!("unhandled error: {:?}", e);
            }
        }
    }
}

并且正在添加标头

import struct

DLT_IEEE802_11_RADIO = 127
SNAPLEN = 4096

pcap_file_header = struct.pack('IHHiIII', 0xa1b2c3d4, 0x2, 0x4, 0, 0, SNAPLEN, DLT_IEEE802_11_RADIO)

with open('temp.rawpcap', 'rb') as f:
    data = f.read()

with open('temp.pcap', 'wb') as f:
    f.write(pcap_file_header + data)

当我在Wireshark中打开结果.pcap文件时,我得到了

The capture file appears to be damaged or corrupt.
(pcap: File has 560197-byte packet, bigger than maximum of 262144)

这是每个文件的十六进制转储(以SNAPLEN为256提取1个数据包):

$ hexdump -n 56 temp.rawpcap
0000000 d4 c5 8e 5b 00 00 00 00 43 78 02 00 00 00 00 00
0000010 00 01 00 00 50 01 00 00 14 a0 2e 09 01 00 00 00
0000020

$ hexdump -n 56 temp.pcap
0000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00
0000010 00 01 00 00 7f 00 00 00 d4 c5 8e 5b 00 00 00 00
0000020 43 78 02 00 00 00 00 00 00 01 00 00 50 01 00 00
0000030 14 a0 2e 09 01 00 00 00
0000038

1 个答案:

答案 0 :(得分:3)

根据the pcap data file specification,时间戳由两个32位值组成,但是pcap::PacketHeader使用timeval,其由两个64位值组成。

您不能将标题写为原始标题,您需要手工编写其字段:

export class Preloader {
      constructor(private router: Router) {
        this.preloadItems();
      }

      preloadItems() {
       // once preload done
       this.router.navigate(['/your_route_path']);
      }
    }

由于您未在任何地方指定字节顺序,因此还需要确保在与运行Rust代码的计算机具有相同字节序的计算机上运行Python脚本。

相关问题
最新问题