Wireshark 提示和技巧 | Linux cooked capture
本文已參與「新人創作禮」活動,一起開啟掘金創作之路。
Linux cooked-mode capture (SLL)
使用Wireshark做資料包分析時,有時候分組詳情中的資料鏈路層會顯示Linux cooked capture,這是Linux上libpcap所使用的偽協議(pseudo-protocol),有兩種可能的情形:
- 資料包從“any”裝置進行捕獲(即 tcpdump -i any,Pseudo-device),因為不是所有介面都具有相同的鏈路層型別。
[[email protected] ~]# tcpdump -D
1.eno1
2.usbmon1 (USB bus number 1)
3.eno2
4.usbmon2 (USB bus number 2)
5.enp59s0f0
6.enp59s0f1
7.any (Pseudo-device that captures on all interfaces)
8.lo
[[email protected] ~]# tcpdump -i any
- 資料包從鏈路層頭部不可用或不能使用的裝置上進行捕獲(譬如Linux PPP),因為Linux PPP程式碼不能可靠地向libpcap提供PPP報頭。
示例資料包
SLL資料包格式
+---------------------------+
| Packet type |
| (2 Octets) |
+---------------------------+
| ARPHRD_ type |
| (2 Octets) |
+---------------------------+
| Link-layer address length |
| (2 Octets) |
+---------------------------+
| Link-layer address |
| (8 Octets) |
+---------------------------+
| Protocol type |
| (2 Octets) |
+---------------------------+
| Payload |
. .
. .
. .
-
Packet type(2位元組)
-
0, if the packet was specifically sent to us by somebody else;
- 1, if the packet was broadcast by somebody else;
- 2, if the packet was multicast, but not broadcast, by somebody else;
- 3, if the packet was sent to somebody else by somebody else;
-
4, if the packet was sent by us.
-
ARPHRD_ type(2位元組)\ 鏈路層地址型別,Linux ARPHRD_ value,譬如 1 乙太網
- Link-layer address length(2位元組)\ 資料包傳送方的鏈路層地址長度,可以為0
- Link-layer address(8位元組)\ 資料包傳送方的鏈路層地址
- Protocol type(2位元組)\ 協議型別欄位
詳見 http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
Wireshark 顯示過濾
sll 過濾SLL-based流量
sll.pkttype 過濾Packet type,例 sll.pkttype == 0
sll.hatype 過濾Link-layer address type,例 sll.hatype == 1
sll.halen 過濾Link-layer address length,例 sll.halen == 6
sll.src.eth 過濾source mac,例 sll.src.eth == 00:00:00:00:00:00
sll.etype 過濾協議型別,例 sll.etype == 0x0800
- Wireshark TS | 業務系統資料積壓問題
- Wireshark TS | 驚,客戶端居然睡著了
- Wireshark 基礎 | 顯示過濾篇
- Wireshark 提示和技巧 | 捕獲點之 TCP 三次握手
- Wireshark TS | AWS 服務雪崩效應
- Wireshark TS | 交換機同 VLAN 轉發異常
- Wireshark TS | SYN-SYN/ACK-RST 問題
- Wireshark 提示和技巧 | a == ${a} 顯示過濾巨集
- Wireshark TS | Web 服務壓力測試偶發無響應
- Wireshark TS | 丟包?不要輕易下結論續
- Wireshark TS | 延遲傳送和延遲確認
- Wireshark TS | 檔案下載慢一例
- Wireshark 基礎 | 捕獲過濾篇
- Wireshark TS | 測試資料庫響應慢
- Wireshark 提示和技巧 | Linux cooked capture