本文已参与「新人创作礼」活动,一起开启掘金创作之路。
Linux cooked-mode capture (SLL)
使用Wireshark做数据包分析时,有时候分组详情中的数据链路层会显示Linux cooked capture,这是Linux上libpcap所使用的伪协议(pseudo-protocol),有两种可能的情形:
- 数据包从“any”设备进行捕获(即 tcpdump -i any,Pseudo-device),因为不是所有接口都具有相同的链路层类型。
[root@localhost ~]# tcpdump -D
1.eno1
2.usbmon1 (USB bus number 1)
3.eno2
4.usbmon2 (USB bus number 2)
5.enp59s0f0
6.enp59s0f1
7.any (Pseudo-device that captures on all interfaces)
8.lo
[root@localhost ~]# tcpdump -i any
- 数据包从链路层头部不可用或不能使用的设备上进行捕获(譬如Linux PPP),因为Linux PPP代码不能可靠地向libpcap提供PPP报头。
示例数据包
SLL数据包格式
+---------------------------+
| Packet type |
| (2 Octets) |
+---------------------------+
| ARPHRD_ type |
| (2 Octets) |
+---------------------------+
| Link-layer address length |
| (2 Octets) |
+---------------------------+
| Link-layer address |
| (8 Octets) |
+---------------------------+
| Protocol type |
| (2 Octets) |
+---------------------------+
| Payload |
. .
. .
. .
- Packet type(2字节)
- 0, if the packet was specifically sent to us by somebody else;
- 1, if the packet was broadcast by somebody else;
- 2, if the packet was multicast, but not broadcast, by somebody else;
- 3, if the packet was sent to somebody else by somebody else;
- 4, if the packet was sent by us.
- ARPHRD_ type(2字节)
链路层地址类型,Linux ARPHRD_ value,譬如 1 以太网 - Link-layer address length(2字节)
数据包发送方的链路层地址长度,可以为0 - Link-layer address(8字节)
数据包发送方的链路层地址 - Protocol type(2字节)
协议类型字段
详见 www.tcpdump.org/linktypes/L…
Wireshark 显示过滤
sll 过滤SLL-based流量
sll.pkttype 过滤Packet type,例 sll.pkttype == 0
sll.hatype 过滤Link-layer address type,例 sll.hatype == 1
sll.halen 过滤Link-layer address length,例 sll.halen == 6
sll.src.eth 过滤source mac,例 sll.src.eth == 00:00:00:00:00:00
sll.etype 过滤协议类型,例 sll.etype == 0x0800
