tcpdump抓包时,如果-i选项指定为一个网卡地址,那么抓取的数据包数据链路层是以太网头部;如果指定any,则以太网头部将被替换为linux cooked capture头部
# tcpdump -i any -w linux_sll.pcap tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
# tcpdump -i eth1 -w enet.pcap tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
tcpdump抓包时可以通过 -y 选项来指定data link type,不过测试发现 -i 选项指定 any 时,不支持抓获的包的data link type 为以太网 :
# tcpdump -i any -w test.pcap -y EN10MB tcpdump: EN10MB is not one of the DLTs supported by this device # tcpdump -i eth1 -w test.pcap -y EN10MB tcpdump: data link type EN10MB #
这时,若需要将linux cooked capture格式的包转换为Ethernet格式,有那么几种方法:
1. 写代码读出每一个包后再改写到新文件(使用libpcap或者基于pcap头部结构体偏移);
2. tcpdump 3.0+ 版本下,可以用tcprewrite直接改写,这应该是最快捷的方法;
DLT Plugins As of 3.0, tcprewrite uses plugins to support different DLT/Layer 2 types. This not only makes the
code easier to maintain, but also helps make things clearer for users regarding what is and isn't
supported. Each plugin may support reading and/or writing packets. By default, the plugin used to
read packets is also used for output, but you can override the output plugin using the --dlt option.
Changing the DLT plugin allows you to convert the packets from one DLT/Layer 2 type to another type.
This allows you for example to capture traffic on say an Ethernet interface and replay over Cisco
HDLC or capture on a BSD Loopback interface and replay over Ethernet. Plugins supported in output mode: Ethernet (enet) Cisco HDLC (hdlc) User defined Layer 2 (user) Plugins supported in input mode: Ethernet Cisco HDLC Linux SLL BSD Loopback BSD Null Raw IP 802.11 Juniper Ethernet (version >= 4.0) Hence, if you have a pcap in one of the supported input DLT types, you can convert it to one of the
supported output DLT type by using the --dlt=<output> option. Depending on the input DLT you may
need to provide additional DLT plugin flags.
tcprewrite转换命令如下:
# tcpdump -r linux_sll.pcap reading from file linux_sll.pcap, link-type LINUX_SLL (Linux cooked) # tcprewrite --dlt=enet --infile=linux_sll.pcap --outfile=enet.pcap # tcpdump -r enet.pcap reading from file enet.pcap, link-type EN10MB (Ethernet) #
唯一有点问题的,是转换后的数据的Destination-Mac为空, 对这个字段有需求的要注意下:
可以参考的网址:
https://wiki.wireshark.org/SLL
http://www.tcpdump.org/linktypes.html
http://tcpreplay.synfin.net/wiki/tcprewrite
其它:
# tips 删除vlan # tcprewrite --enet-vlan=del --infile=enet.pcap --outfile=output.pcap