本文主要是介绍Wireshark 提示和技巧 | Linux cooked capture,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
Linux cooked-mode capture (SLL)
使用 Wireshark 做数据包分析时,有时候分组详情中的数据链路层会显示 Linux cooked capture ,这是 Linux 上 libpcap 所使用的伪协议(pseudo-protocol),有两种可能的情形:
- 数据包从 “any” 设备进行捕获(即 tcpdump -i any,Pseudo-device),因为不是所有接口都具有相同的链路层类型。
[root@localhost ~]# tcpdump -D
1.eno1
2.usbmon1 (USB bus number 1)
3.eno2
4.usbmon2 (USB bus number 2)
5.enp59s0f0
6.enp59s0f1
7.any (Pseudo-device that captures on all interfaces)
8.lo
[root@localhost ~]# tcpdump -i any
- 数据包从链路层头部不可用或不能使用的设备上进行捕获(譬如Linux PPP),因为 Linux PPP 代码不能可靠地向 libpcap 提供 PPP 报头。
示例数据包
SLL数据包格式
+---------------------------+| Packet type || (2 Octets) |+---------------------------+| ARPHRD_ type || (2 Octets) |+---------------------------+| Link-layer address length || (2 Octets) |+---------------------------+| Link-layer address || (8 Octets) |+---------------------------+| Protocol type || (2 Octets) |+---------------------------+| Payload |. .. .. .
- Packet type(2字节)
-
0, if the packet was specifically sent to us by somebody else;
-
1, if the packet was broadcast by somebody else;
-
2, if the packet was multicast, but not broadcast, by somebody else;
-
3, if the packet was sent to somebody else by somebody else;
-
4, if the packet was sent by us.
-
ARPHRD_ type(2字节)
链路层地址类型,Linux ARPHRD_ value,譬如 1 以太网 -
Link-layer address length(2字节)
数据包发送方的链路层地址长度,可以为 0 -
Link-layer address(8字节)
数据包发送方的链路层地址 -
Protocol type(2字节)
协议类型字段
详见 https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
Wireshark 显示过滤
sll 过滤 SLL-based 流量
sll.pkttype 过滤 Packet type ,例 sll.pkttype == 0
sll.hatype 过滤 Link-layer address type ,例 sll.hatype == 1
sll.halen 过滤 Link-layer address length ,例 sll.halen == 6
sll.src.eth 过滤 source mac,例 sll.src.eth == 00:00:00:00:00:00
sll.etype 过滤协议类型,例 sll.etype == 0x0800
感谢阅读,更多技术文章可关注个人公众号:Echo Reply ,谢谢。
这篇关于Wireshark 提示和技巧 | Linux cooked capture的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!