Linux cooked-mode capture 格式转换

 

tcpdump抓包时，如果-i选项指定为一个网卡地址，那么抓取的数据包数据链路层是以太网头部；如果指定any，则以太网头部将被替换为linux cooked capture头部

 # tcpdump -i any -w linux_sll.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

 

 # tcpdump -i eth1 -w enet.pcap
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

 

tcpdump抓包时可以通过 -y 选项来指定data link type，不过测试发现 -i 选项指定 any 时，不支持抓获的包的data link type 为以太网 :

 # tcpdump -i any -w test.pcap -y EN10MB
tcpdump: EN10MB is not one of the DLTs supported by this device# tcpdump -i eth1 -w test.pcap -y EN10MB
tcpdump: data link type EN10MB# 

 

这时，若需要将linux cooked capture格式的包转换为Ethernet格式，有那么几种方法：

1. 写代码读出每一个包后再改写到新文件(使用libpcap或者基于pcap头部结构体偏移)；

2. tcpdump 3.0+ 版本下，可以用tcprewrite直接改写，这应该是最快捷的方法；

DLT Plugins
As of 3.0, tcprewrite uses plugins to support different DLT/Layer 2 types. This not only makes the 
code easier to maintain, but also helps make things clearer for users regarding what is and isn't 
supported. Each plugin may support reading and/or writing packets. By default, the plugin used to 
read packets is also used for output, but you can override the output plugin using the --dlt option. 
Changing the DLT plugin allows you to convert the packets from one DLT/Layer 2 type to another type. 
This allows you for example to capture traffic on say an Ethernet interface and replay over Cisco 
HDLC or capture on a BSD Loopback interface and replay over Ethernet.Plugins supported in output mode:Ethernet (enet)
Cisco HDLC (hdlc)
User defined Layer 2 (user)
Plugins supported in input mode:Ethernet
Cisco HDLC
Linux SLL
BSD Loopback
BSD Null
Raw IP
802.11
Juniper Ethernet (version >= 4.0)
Hence, if you have a pcap in one of the supported input DLT types, you can convert it to one of the 
supported output DLT type by using the --dlt=<output> option. Depending on the input DLT you may 
need to provide additional DLT plugin flags.

 

tcprewrite转换命令如下：

 # tcpdump -r linux_sll.pcap
reading from file linux_sll.pcap, link-type LINUX_SLL (Linux cooked)# tcprewrite --dlt=enet --infile=linux_sll.pcap  --outfile=enet.pcap# tcpdump -r enet.pcap
reading from file enet.pcap, link-type EN10MB (Ethernet)#

 

唯一有点问题的，是转换后的数据的Destination-Mac为空， 对这个字段有需求的要注意下：

 

可以参考的网址：

https://wiki.wireshark.org/SLL

http://www.tcpdump.org/linktypes.html

http://tcpreplay.synfin.net/wiki/tcprewrite

 

其它：

# tips 删除vlan
# tcprewrite --enet-vlan=del --infile=enet.pcap --outfile=output.pcap