Wireshark 提示和技巧 | Linux cooked capture

語言: CN / TW / HK

本文已參與「新人創作禮」活動,一起開啟掘金創作之路。

Linux cooked-mode capture (SLL)


使用Wireshark做資料包分析時,有時候分組詳情中的資料鏈路層會顯示Linux cooked capture,這是Linux上libpcap所使用的偽協議(pseudo-protocol),有兩種可能的情形:

  1. 資料包從“any”裝置進行捕獲(即 tcpdump -i any,Pseudo-device),因為不是所有介面都具有相同的鏈路層型別。

[[email protected] ~]# tcpdump -D 1.eno1 2.usbmon1 (USB bus number 1) 3.eno2 4.usbmon2 (USB bus number 2) 5.enp59s0f0 6.enp59s0f1 7.any (Pseudo-device that captures on all interfaces) 8.lo [[email protected] ~]# tcpdump -i any

  1. 資料包從鏈路層頭部不可用或不能使用的裝置上進行捕獲(譬如Linux PPP),因為Linux PPP程式碼不能可靠地向libpcap提供PPP報頭。


示例資料包



SLL資料包格式


+---------------------------+ | Packet type | | (2 Octets) | +---------------------------+ | ARPHRD_ type | | (2 Octets) | +---------------------------+ | Link-layer address length | | (2 Octets) | +---------------------------+ | Link-layer address | | (8 Octets) | +---------------------------+ | Protocol type | | (2 Octets) | +---------------------------+ | Payload | . . . . . .

  1. Packet type(2位元組)

  2. 0, if the packet was specifically sent to us by somebody else;

  3. 1, if the packet was broadcast by somebody else;
  4. 2, if the packet was multicast, but not broadcast, by somebody else;
  5. 3, if the packet was sent to somebody else by somebody else;
  6. 4, if the packet was sent by us.

  7. ARPHRD_ type(2位元組)\ 鏈路層地址型別,Linux ARPHRD_ value,譬如 1 乙太網

  8. Link-layer address length(2位元組)\ 資料包傳送方的鏈路層地址長度,可以為0
  9. Link-layer address(8位元組)\ 資料包傳送方的鏈路層地址
  10. Protocol type(2位元組)\ 協議型別欄位

詳見 http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html


Wireshark 顯示過濾


sll 過濾SLL-based流量

sll.pkttype 過濾Packet type,例 sll.pkttype == 0

sll.hatype 過濾Link-layer address type,例 sll.hatype == 1

sll.halen 過濾Link-layer address length,例 sll.halen == 6

sll.src.eth 過濾source mac,例 sll.src.eth == 00:00:00:00:00:00

sll.etype 過濾協議型別,例 sll.etype == 0x0800