pcap文件格式是常用的數(shù)據(jù)報(bào)存儲(chǔ)格式，包括wireshark在內(nèi)的主流抓包軟件都可以生成這種格式的數(shù)據(jù)包 下面對(duì)這種格式的文件簡(jiǎn)單分析一下：? pcap文件的格式為：
??文件頭 ???24字節(jié)
? 數(shù)據(jù)報(bào)頭 + 數(shù)據(jù)報(bào)??數(shù)據(jù)包頭為16字節(jié)，后面緊跟數(shù)據(jù)報(bào)
??數(shù)據(jù)報(bào)頭 + 數(shù)據(jù)報(bào)? ...... pcap.h里定義了文件頭的格式
struct pcap_file_header {
??????? bpf_u_int32 magic;
??????? u_short version_major;
??????? u_short version_minor;
??????? bpf_int32 thiszone;????
??????? bpf_u_int32 sigfigs;???
??????? bpf_u_int32 snaplen;???
??????? bpf_u_int32 linktype;??
};

Pcap文件頭24B各字段說明：

Magic：4B：0x1A 2B 3C 4D:用來標(biāo)示文件的開始 Major：2B，0×02 00:當(dāng)前文件主要的版本號(hào) Minor：2B，0×04 00當(dāng)前文件次要的版本號(hào) ThisZone：4B當(dāng)?shù)氐臉?biāo)準(zhǔn)時(shí)間；全零 SigFigs：4B時(shí)間戳的精度；全零 SnapLen：4B最大的存儲(chǔ)長(zhǎng)度 LinkType：4B鏈路類型 常用類型： 0??????????? BSD loopback devices, except for later OpenBSD
1??????????? Ethernet, and Linux loopback devices
6??????????? 802.5 Token Ring
7??????????? ARCnet
8??????????? SLIP
9??????????? PPP
10?????????? FDDI
100???????? LLC/SNAP-encapsulated ATM
101???????? “raw IP”, with no link
102???????? BSD/OS SLIP
103???????? BSD/OS PPP
104???????? Cisco HDLC
105???????? 802.11
108???????? later OpenBSD loopback devices (with the AF_value in network byte order)
113???????? special Linux “cooked” capture
114???????? LocalTalk
字段說明： Timestamp：時(shí)間戳高位，精確到seconds（值是自從January 1, 1970 00:00:00 GMT以來的秒數(shù)來記） Timestamp：時(shí)間戳低位，精確到microseconds （數(shù)據(jù)包被捕獲時(shí)候的微秒（microseconds）數(shù)，是自ts-sec的偏移量） Caplen：當(dāng)前數(shù)據(jù)區(qū)的長(zhǎng)度，即抓取到的數(shù)據(jù)幀長(zhǎng)度，由此可以得到下一個(gè)數(shù)據(jù)幀的位置。 Len：離線數(shù)據(jù)長(zhǎng)度：網(wǎng)絡(luò)中實(shí)際數(shù)據(jù)幀的長(zhǎng)度，一般不大于caplen，多數(shù)情況下和Caplen數(shù)值相等。 （例如，實(shí)際上有一個(gè)包長(zhǎng)度是1500 bytes（Len=1500），但是因?yàn)樵贕lobal Header的snaplen=1300有限制，所以只能抓取這個(gè)包的前1300個(gè)字節(jié)，這個(gè)時(shí)候，Caplen?= 1300 ）
Packet?數(shù)據(jù)：即 Packet（通常就是鏈路層的數(shù)據(jù)幀）具體內(nèi)容，長(zhǎng)度就是Caplen，這個(gè)長(zhǎng)度的后面，就是當(dāng)前PCAP文件中存放的下一個(gè)Packet數(shù)據(jù)包，也就 是說：PCAP文件里面并沒有規(guī)定捕獲的Packet數(shù)據(jù)包之間有什么間隔字符串，下一組數(shù)據(jù)在文件中的起始位置。我們需要靠第一個(gè)Packet包確定。 最后，Packet數(shù)據(jù)部分的格式其實(shí)就是標(biāo)準(zhǔn)的網(wǎng)路協(xié)議格式了可以任何網(wǎng)絡(luò)教材上找得到。 下面是我針對(duì)網(wǎng)上相關(guān)代碼的修改和精煉，主要就是改進(jìn)了讀包方法，每次先讀包頭，再一次性讀取該包數(shù)據(jù)，并在該包數(shù)據(jù)內(nèi)依次解析Ethernet幀，IP幀，TCP幀或是UDP幀。另外改進(jìn)了異常處理機(jī)制，保證退出時(shí)文件要關(guān)閉，內(nèi)存要釋放。注意運(yùn)行在64位Linux系統(tǒng)上面； 文件pcap_file_parse.c

//description: parse wireshark pcap file and write it into local file
//platform: Ubuntu 14.04 64bit Desktop version
//compile:  gcc -g pcap_file_parse.c -o pcap_file_parse
//run: ./pcap_file_parse test.pcap
//author: tao_627@aliyun.com, QQ:48019671
//date: 2014-05-24#include <pcap.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include "pcap_utils.h" //公共函數(shù)存放在這里#define STRSIZE 1024
#define SNAP_LEN 1518       // 以太網(wǎng)幀最大長(zhǎng)度
#define SIZE_ETHERNET 14   // 以太網(wǎng)包頭長(zhǎng)度 mac 6*2, type: 2
#define SIZE_UDP 8         // UDP包頭8字節(jié)int main(int argc, char **argv){if(argc<=1 || argc>2){printf("Usage: %s <input filename>\n", argv[0]);return 0;}struct pcap_file_header *file_header;struct pcap_pkthdr *ptk_header;struct ether_header *eth_header;struct iphdr *ip_header;struct tcphdr *tcp_header;struct udphdr *udp_header;const char *payload;int size_packet, size_payload, size_ip, size_tcp;FILE *fp, *output;int pkt_offset, i=0;char buf[STRSIZE], capture_time[STRSIZE];u_char *packet = NULL;if((fp=fopen(argv[1], "r")) == NULL){printf("Error: can not open input pcap file\n");exit(0);}if((output=fopen("./output.txt", "w+")) == NULL){printf("Error: can not open the output file\n");exit(0);}file_header = (struct pcap_file_header*)malloc(sizeof(struct pcap_file_header));ptk_header = (struct pcap_pkthdr*)malloc(sizeof(struct pcap_pkthdr));//validate the pcap file formatint read_size = fread(file_header, sizeof(char), 24, fp);if(read_size != 24){printf("cannot read pcacp file header, invalid format\n");goto cleanup;}printf("Pcap file header: %X, %hu, %hu, %u, %u\n",file_header->magic,file_header->version_major,file_header->version_minor,file_header->snaplen,file_header->linktype);//allocate a common packet buffer to usepacket = (u_char*)malloc(file_header->snaplen * sizeof(char));pkt_offset = 24;while(fseek(fp, pkt_offset, SEEK_SET) == 0){i++;memset(buf,0,sizeof(buf));memset(packet,0,sizeof(packet));//read pcap packet headerif(fread(buf, 16, 1, fp) != 1){printf("\nPacket No#%d: cannot read pcap_pkt_header of pcap file\n", i);break;}ptk_header->ts.tv_sec = *(bpf_u_int32*)buf;ptk_header->caplen = *(bpf_u_int32*)(buf+8);ptk_header->len = *(bpf_u_int32*)(buf+12);size_packet = ptk_header->caplen;pkt_offset += 16 + size_packet;strftime(capture_time, sizeof(capture_time), "%Y-%m-%d %T", localtime(&(ptk_header->ts.tv_sec)));printf("capture time: %s, packet len: %u\n", capture_time, size_packet);//read a complete packetif(fread(packet, 1, size_packet, fp) != size_packet){printf("Packet NO.%d: cannot read a whole packet\n", i);break;}eth_header = (struct ether_header*)packet;//read ip frame headerip_header = (struct iphdr *)(packet + SIZE_ETHERNET);size_ip = (ip_header->ihl)*4;/* if (size_ip < 20) {printf("無效的IP頭長(zhǎng)度: %u bytes\n", size_ip);break;}*/if ( (ip_header->protocol != IPPROTO_TCP)&&(ip_header->protocol!=IPPROTO_UDP) ){ // TCP,UDP,ICMP,IPcontinue;}if(ip_header->protocol==IPPROTO_TCP){/* TCP頭 */tcp_header = (struct tcphdr *)(packet + SIZE_ETHERNET + size_ip);size_tcp = (tcp_header->th_off)*4;if (size_tcp < 20) {printf("無效的TCP頭長(zhǎng)度: %u bytes\n", size_tcp);break;}int sport =  ntohs(tcp_header->th_sport);int dport =  ntohs(tcp_header->th_dport);printf("%s:%d -> ", inet_ntoa(*(struct in_addr*)(&ip_header->saddr)), sport);printf("%s:%d ", inet_ntoa(*(struct in_addr*)(&ip_header->daddr)), dport);//內(nèi)容payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);//內(nèi)容長(zhǎng)度size_payload = ntohs(ip_header->tot_len) - (size_ip + size_tcp);if (size_payload > 0) {printf("seq:%d ack:%d flag:%d payload:%d bytes\n", ntohs(tcp_header->th_seq), ntohs(tcp_header->th_ack), ntohs(tcp_header->th_flags), size_payload );printf("=====================================TCP=====================================\n");print_payload(payload, size_payload);}}else if(ip_header->protocol==IPPROTO_UDP){udp_header = (struct udphdr *)(packet + SIZE_ETHERNET + size_ip);int sport =  ntohs(udp_header->source);int dport =  ntohs(udp_header->dest);printf("%s:%d -> ", inet_ntoa(*(struct in_addr*)(&ip_header->saddr)), sport);printf("%s:%d ", inet_ntoa(*(struct in_addr*)(&ip_header->daddr)), dport);//內(nèi)容payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + SIZE_UDP);//內(nèi)容長(zhǎng)度size_payload = ntohs(ip_header->tot_len) - (size_ip + SIZE_UDP);if (size_payload > 0) {printf("payload:%d bytes\n", size_payload );printf("=====================================UDP=====================================\n");print_payload(payload, size_payload);}}}cleanup:if(file_header)free(file_header);if(ptk_header)free(ptk_header);if(packet)free(packet);fclose(fp);fclose(output);return 0;
}

文件pcap_utils.h

#include <stdio.h>
#include <stdlib.h>
#include <string.h>/** print data in rows of 16 bytes: offset   hex   ascii** 00000   47 45 54 20 2f 20 48 54  54 50 2f 31 2e 31 0d 0a   GET / HTTP/1.1..*/
void
print_hex_ascii_line(const u_char *payload, int len, int offset)
{int i;int gap;const u_char *ch;/* offset */printf("%05d   ", offset);/* hex */ch = payload;for(i = 0; i < len; i++) {printf("%02X ", *ch);ch++;/* print extra space after 8th byte for visual aid */if (i == 7)printf(" ");}/* print space to handle line less than 8 bytes */if (len < 8)printf(" ");/* fill hex gap with spaces if not full line */if (len < 16) {gap = 16 - len;for (i = 0; i < gap; i++) {printf("   ");}}printf("   ");/* ascii (if printable) */ch = payload;for(i = 0; i < len; i++) {if (isprint(*ch))printf("%c", *ch);elseprintf(".");ch++;}printf("\n");
}/** print packet payload data (avoid printing binary data)*/
void
print_payload(const u_char *payload, int len)
{int len_rem = len;int line_width = 16;			/* number of bytes per line */int line_len;int offset = 0;					/* zero-based offset counter */const u_char *ch = payload;if (len <= 0)return;/* data fits on one line */if (len <= line_width) {print_hex_ascii_line(ch, len, offset);return;}/* data spans multiple lines */for ( ;; ) {/* compute current line length */line_len = line_width % len_rem;/* print line */print_hex_ascii_line(ch, line_len, offset);/* compute total remaining */len_rem = len_rem - line_len;/* shift pointer to remaining bytes to print */ch = ch + line_len;/* add offset */offset = offset + line_width;/* check if we have line width chars or less */if (len_rem <= line_width) {/* print last line and get out */print_hex_ascii_line(ch, len_rem, offset);break;}}
}

使用方法: gcc -g pcap_file_parse.c -o pcap_file_parse.c 假設(shè)要解析的pcap文件為test.pcap,有兩種方法,一種是解析結(jié)果直接輸出到屏幕上,另一種是寫到指定的文件中,分別對(duì)應(yīng) ./pcap_file_parse test.pcap ./pcap_file_parse test.pcap > output.txt 下面是代碼運(yùn)行效果圖
應(yīng)該注意的問題 1.使用wireshark等抓包時(shí),必須存為pcap文件格式,否則上面的代碼解析將會(huì)出錯(cuò).參見下面的截圖

總結(jié)

以上是生活随笔為你收集整理的Ubuntu 14.04 64bit上解析wireshark抓包pcap文件格式和源码实现的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。