How to write PCAP capture file header?
Without using libpcap I am trying to write a log file that adheres to the pcap file format (format). This file needs to be readable by WireShark. So far I've written this in C++:
struct pcapFileHeader {
uint32_t magic_numb开发者_如何学Cer; /* magic number */
uint16_t version_major; /* major version number */
uint16_t version_minor; /* minor version number */
int16_t thiszone; /* GMT to local correction */
uint32_t sigfigs; /* accuracy of timestamps */
uint32_t snaplen; /* max length of captured packets, in octets */
uint32_t network; /* data link type */
};
ofstream fileout;
fileout.open("file.pcap", ios::trunc);
pcapFileHeader fileHeader;
fileHeader.magic_number = 0xa1b2c3d4;
fileHeader.version_major = 2;
fileHeader.version_minor = 4;
fileHeader.thiszone = 0;
fileHeader.sigfigs = 0;
fileHeader.snaplen = 65535; //(2^16)
fileHeader.network = 1; //Ethernet
fileout << fileHeader.magic_number <<
fileHeader.version_major <<
fileHeader.version_minor <<
fileHeader.thiszone <<
fileHeader.sigfigs <<
fileHeader.snaplen <<
fileHeader.network;
fileout.close();
So this should make a blank capture file, but when I open it in Wireshark I am greeted with:
The file "hello.pcap" appears to have been cut short in the middle of a packet or other data.
I've tried opening the output file in binary mode but that didn't help. I would post this in the WireShark forum, but I think this is user error, not something wrong with WireShark.
Help would be much appreciated.
<< writes the numbers formatted as text (e.g., the five-character string "65535" instead of four bytes representing that number).
To output binary data open the file with ios::binary and use write. This statement will write the entire header:
fileout.write(reinterpret_cast<const char*>(&fileHeader),
sizeof fileHeader);
The endianness is detected by the reader, so this is portable as long as there's no padding between the struct members.
Note that thiszone should be int32_t.
加载中,请稍侯......
精彩评论