prism capture header capture是什么意思思

来源:蜘蛛抓取(WebSpider) 时间:2016-03-28 04:27 标签: capture是什么意思
5171人阅读
系统安全(84)
加密与解密(70)
Unix/Linux(98)
CPlusPlus(158)
ethereal 可以用来从网络上抓包,并能对包进行分析。下面介绍windows 下面ethereal 的使用方法安装
1)安装winpcap,下载地址http://netgroup-serv.polito.it/winpcap/install/Default.htm 2)安装ethereal ,下载地址/ 使用
windows 程序,使用很简单。启动ethereal 以后,选择菜单Capature-&Start ,就OK 了。当你不想抓的时候,按一下stop, 抓的包就会显示在面板中,并且已经分析好了。下面是一个截图:
ethereal使用-capture选项
  nterface: 指定在哪个接口(网卡)上抓包。一般情况下都是单网卡,所以使用缺省的就可以了Limit each packet: 限制每个包的大小,缺省情况不限制  Capture packets in promiscuous mode: 是否打开混杂模式。如果打开,抓取所有的数据包。一般情况下只需要监听本机收到或者发出的包,因此应该关闭这个选项。Filter:过滤器。只抓取满足过滤规则的包(可暂时略过) File:如果需要将抓到的包写到文件中,在这里输入文件名称。use ring buffer: 是否使用循环缓冲。缺省情况下不使用,即一直抓包。注意,循环缓冲只有在写文件的时候才有效。如果使用了循环缓冲,还需要设置文件的数目,文件多大时回卷  其他的项选择缺省的就可以了 ethereal的抓包过滤器   抓包过滤器用来抓取感兴趣的包,用在抓包过程中。 抓包过滤器使用的是libcap 过滤器语言,在tcpdump 的手册中有详细的解释,基本结构是: [not] primitive [and|or [not] primitive ...] 个人观点,如果你想抓取某些特定的数据包时,可以有以下两种方法,你可以任选一种, 个人比较偏好第二种方式:   1、在抓包的时候,就先定义好抓包过滤器,这样结果就是只抓到你设定好的那些类型的数 据包;   2、先不管三七二十一,把本机收到或者发出的包一股脑的抓下来,然后使用下节介绍的显 示过滤器,只让Ethereal 显示那些你想要的那些类型的数据包; etheral的显示过滤器(重点内容)   在抓包完成以后,显示过滤器可以用来找到你感兴趣的包,可以根据1)协议2)是否存在某个域3)域值4)域值之间的比较来查找你感兴趣的包。  举个例子,如果你只想查看使用tcp 协议的包,在ethereal 窗口的左下角的Filter 中输入tcp, 然后回车,ethereal 就会只显示tcp 协议的包。如下图所示:
  值比较表达式可以使用下面的操作符来构造显示过滤器自然语言类c 表示举例eq == ip.addr==10.1.10.20 ne != ip.addr!=10.1.10.20 gt & frame.pkt_len&10 lt & frame.pkt_len&10 ge &= frame.pkt_len&=10 le &= frame.pkt_len&=10   表达式组合可以使用下面的逻辑操作符将表达式组合起来自然语言类c 表示举例and && 逻辑与,比如ip.addr=10.1.10.20&&tcp.flag.fin or || 逻辑或,比如ip.addr=10.1.10.20||ip.addr=10.1.10.21 xor ^^ 异或,如tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == not ! 逻辑非,如 !llc 例如:我想抓取IP 地址是192.168.2.10 的主机,它所接收收或发送的所有的HTTP 报文,那么合适的显示Filter (过滤器)就是:
在ethereal 使用协议插件 ethereal 能够支持许多协议,但有些协议需要安装插件以后才能解,比如H.323,以H.323 协议为例,首先下载ethereal 的H.323 插件,下载地址http://www.voice2sniff.org/ 下载完了以后将文件(h323.dll) 解压到ethereal 安装目录的plugin/0.9.x 目录下面,比如我的是0.9.11 ,然后,需要进行一下设置1)启动ethereal 2)菜单Edit-&Preference 3)单击Protocols 前面的&+&号,展开Protocols 4)找到Q931 ,并单击5)确保&Desegment.... TCP segments& 是选中的(即方框被按下去)6)单击TCP 7)确保&Allow....TCP streams& 是选中的8)确保没有选中&Check....TCP checksum& 和&Use....sequence numbers& 9)单击TPKT 10)确保&Desegment....TCP segments& 是选中的11)点击Save,然后点击Apply ,然后点击OK 你也完全可以不断地重新安装新版本winpcap 和ethreal, 这样就可以不需在旧的ethreal 的版本中安装新的插件来支持新的协议插件。
支持的协议分析
759 protocols can currently be dissected:
3COMXNS, 3GPP2 A11, 802.11 MGT, 802.11 Radiotap, 802.3 Slow protocols, 9P, AAL1, AAL3/4, AARP, ACAP, ACN, ACP133, ACSE, ACtrace, ADP, AFP, AFS (RX), AH, AIM, AIM Administration, AIM Advertisements, AIM BOS, AIM Buddylist, AIM Chat, AIM ChatNav, AIM Directory, AIM Email, AIM Generic, AIM ICQ, AIM Invitation, AIM Location, AIM Messaging, AIM OFT, AIM Popup, AIM SSI, AIM SST, AIM Signon, AIM Stats, AIM Translate, AIM User Lookup, AJP13, ALC, ALCAP, AMR, ANS, ANSI BSMAP, ANSI DTAP, ANSI IS-637-A Teleservice, ANSI IS-637-A Transport, ANSI IS-683-A (OTA (Mobile)), ANSI IS-801 (Location Services (PLD)), ANSI MAP, AODV, AOE, ARCNET, ARP/RARP, ARTNET, ASAP, ASF, ASN1, ASP, ATM, ATM LANE, ATP, ATSVC, AVS WLANCAP, AX4000, AgentX, Armagetronad, Auto-RP, BACapp, BACnet, BEEP, BER, BFD Control, BGP, BICC, BOFL, BOOTP/DHCP, BOOTPARAMS, BOSSVR, BROWSER, BSSAP, BSSGP, BUDB, BUTC, BVLC, Basic Format XID, BitTorrent, Boardwalk, CAMEL, CAST, CBAPDev, CCSDS, CCSRL, CDP, CDS_CLERK, CDT, CFLOW, CGMP, CHDLC, CIGI, CIMD, CIP, CISCOWL-L2, CLDAP, CLEARCASE, CLNP, CLTP, CMIP, CMP, CMS, CONV, COPS, COSEVENTCOMM, COSNAMING, COTP, CPFI, CPHA, CRMF, CSM_ENCAPS, CUPS, CoSine, DAAP, DAP, DCCP, DCERPC, DCE_DFS, DCOM, DCP, DDP, DDTP, DEC_DNA, DEC_STP, DFS, DHCPFO, DHCPv6, DIAMETER, DIS, DISP, DISTCC, DLSw, DLT User A, DLT User B, DLT User C, DLT User D, DNP 3.0, DNS, DNSSERVER, DOCSIS, DOCSIS BPKM-ATTR, DOCSIS BPKM-REQ, DOCSIS BPKM-RSP, DOCSIS DCC-ACK, DOCSIS DCC-REQ, DOCSIS DCC-RSP, DOCSIS DCD, DOCSIS DSA-ACK, DOCSIS DSA-REQ, DOCSIS DSA-RSP, DOCSIS DSC-ACK, DOCSIS DSC-REQ, DOCSIS DSC-RSP, DOCSIS DSD-REQ, DOCSIS DSD-RSP, DOCSIS INT-RNG-REQ, DOCSIS MAC MGMT, DOCSIS MAP, DOCSIS REG-ACK, DOCSIS REG-REQ, DOCSIS REG-RSP, DOCSIS RNG-REQ, DOCSIS RNG-RSP, DOCSIS TLVs, DOCSIS UCC-REQ, DOCSIS UCC-RSP, DOCSIS UCD, DOCSIS VSIF, DOCSIS type29ucd, DOP, DRSUAPI, DSI, DSP, DSSETUP, DTP, DTSPROVIDER, DTSSTIME_REQ, DUA, DVMRP, Data, E.164, E.212, EAP, EAPOL, ECHO, EDONKEY, EDP, EFS, EIGRP, ENC, ENIP, ENRP, ENTTEC, EPM, EPMv4, ESIS, ESP, ESS, ETHERIC, ETHERIP, EVENTLOG, Ethernet, FC, FC ELS, FC FZS, FC-FCS, FC-SB3, FC-SP, FC-SWILS, FC-dNS, FCIP, FCP, FC_CT, FDDI, FIX, FLDB, FR, FRSAPI, FRSRPC, FTAM, FTBP, FTP, FTP-DATA, FTSERVER, FW-1, Frame, G.723, GIF image, GIOP, GMRP, GNM, GNUTELLA, GPRS NS, GPRS-LLC, GRE, GSM BSSMAP, GSM DTAP, GSM RP, GSM SMS, GSM SMS UD, GSM_MAP, GSM_SS, GSS-API, GTP, GVRP, Gryphon, H.223, H.225.0, H.235, H.245, H.261, H.263, H.263 data, H1, H248, HCLNFSD, HPEXT, HPSW, HSRP, HTTP, HyperSCSI, IAP, IAPP, IAX2, IB, ICAP, ICBAAccoCB, ICBAAccoCB2, ICBAAccoMgt, ICBAAccoMgt2, ICBAAccoServ, ICBAAccoServ2, ICBAAccoServSRT, ICBAAccoSync, ICBABrowse, ICBABrowse2, ICBAGErr, ICBAGErrEvent, ICBALDev, ICBALDev2, ICBAPDev, ICBAPDev2, ICBAPDevPC, ICBAPDevPCEvent, ICBAPersist, ICBAPersist2, ICBARTAuto, ICBARTAuto2, ICBAState, ICBAStateEvent, ICBASysProp, ICBATime, ICEP, ICL_RPC, ICMP, ICMPv6, ICP, ICQ, IDP, IDispatch, IEEE 802.11, IEEE802a, IGAP, IGMP, IGRP, ILMI, IMAP, INAP, INITSHUTDOWN, IOXIDResolver, IP, IP/IEEE1394, IPComp, IPDC, IPFC, IPMI, IPP, IPVS, IPX, IPX MSG, IPX RIP, IPX SAP, IPX WAN, IPv6, IRC, IRemUnknown, IRemUnknown2, ISAKMP, ISDN, ISIS, ISL, ISMP, ISUP, ISystemActivator, IUA, IrCOMM, IrLAP, IrLMP, IuUP, JFIF (JPEG) image, JXTA, JXTA Message, Jabber, Juniper, K12xx, KADM5, KINK, KLM, KRB4, KRB5, KRB5RPC, Kpasswd, L2TP, LANMAN, LAPB, LAPBETHER, LAPD, LDAP, LDP, LGE_Monitor, LLAP, LLC, LLDP, LMI, LMP, LOOP, LPD, LSA, LWAPP, LWAPP-CNTL, LWAPP-L3, LWRES, Laplink, Line-based text data, Log, LogotypeCertExtn, Lucent/Ascend, M2PA, M2TP, M2UA, M3UA, MACC, MAPI, MAP_DialoguePDU, MATE, MDS Header, MEGACO, MGCP, MGMT, MIME multipart, MIPv6, MMS, MMSE, MOUNT, MPEG1, MPLS, MPLS Echo, MQ, MQ PCF, MRDISC, MS NLB, MS Proxy, MSDP, MSMMS, MSNIP, MSNMS, MSRP, MTP2, MTP3, MTP3MG, Manolito, Media, Messenger, Mobile IP, Modbus/TCP, MySQL, NBAP, NBDS, NBIPX, NBNS, NBP, NBSS, NCP, NCS, NDMP, NDPS, NFS, NFSACL, NFSAUTH, NHRP, NIS+, NIS+ CB, NJACK, NLM, NLSP, NMAS, NMPI, NNTP, NORM, NSIP, NSPI, NS_CERT_EXTS, NTLMSSP, NTP, NW_SERIAL, NetBIOS, Netsync, Null, OAM AAL, OCSP, OICQ, OLSR, OPSI, OSPF, PACKETCABLE, PAGP, PAP, PARLAY, PCLI, PCNFSD, PER, PFLOG, PFLOG-OLD, PGM, PGSQL, PIM, PKCS-1, PKIX Certificate, PKIX1EXPLICIT, PKIX1IMPLICIT, PKIXPROXY, PKIXQUALIFIED, PKIXTSP, PKInit, PKT CCC, PKTC, PN-DCP, PN-RT, PNIO, PNP, POP, PPP, PPP BACP, PPP BAP, PPP BCP, PPP CBCP, PPP CCP, PPP CDPCP, PPP CHAP, PPP Comp, PPP IPCP, PPP IPV6CP, PPP LCP, PPP MP, PPP MPLSCP, PPP OSICP, PPP PAP, PPP PPPMux, PPP PPPMuxCP, PPP VJ, PPP-HDLC, PPPoED, PPPoES, PPTP, PRES, PTP, PVFS, P_MUL, Portmap, Prism, Q.2931, Q.931, Q.933, QLLC, QUAKE, QUAKE2, QUAKE3, QUAKEWORLD, R-STP, RADIUS, RANAP, RDM, RDT, REMACT, REP_PROC, RIP, RIPng, RLM, RMCP, RMI, RMP, RNSAP, ROS, RPC, RPC_BROWSER, RPC_NETLOGON, RPL, RQUOTA, RRAS, RSH, RSTAT, RSVP, RSYNC, RS_ACCT, RS_ATTR, RS_BIND, RS_PGO, RS_PLCY, RS_REPADM, RS_REPLIST, RS_UNIX, RTCP, RTMP, RTP, RTP Event, RTPS, RTSE, RTSP, RTcfg, RTmac, RUDP, RWALL, RX, Raw, Raw_SIP, Raw_SigComp, Redback, Rlogin, SADMIND, SAMR, SAP, SCCP, SCCPMG, SCSI, SCTP, SDLC, SDP, SEBEK, SECIDMAP, SES, SGI MOUNT, SIGCOMP, SIP, SIPFRAG, SIR, SKINNY, SLARP, SLL, SM, SMB, SMB Mailslot, SMB Pipe, SMB2, SMB_NETLOGON, SMPP, SMRSE, SMTP, SMUX, SNA, SNA XID, SNAETH, SNDCP, SNMP, SONMP, SPNEGO, SPNEGO-KRB5, SPOOLSS, SPP, SPRAY, SPX, SRP, SRVLOC, SRVSVC, SSCF-NNI, SSCOP, SSH, SSL, SSS, STANAG 4406, STANAG 5066, STAT, STAT-CB, STP, STUN, SUA, SVCCTL, Serialization, SliMP3, Socks, SoulSeek, Symantec, Synergy, Syslog, T.30, T.38, TACACS, TACACS+, TALI, TANGO, TAPI, TCAP, TCP, TDMA, TDS, TEI_MANAGEMENT, TELNET, TFTP, TIME, TIPC, TKN4Int, TNS, TPCP, TPKT, TR MAC, TRKSVR, TSP, TTP, TUXEDO, TZSP, Teredo, Token-Ring, UBIKDISK, UBIKVOTE, UCP, UDP, UDPENCAP, UDPlite, UMA, V.120, V5UA, VLAN, VNC, VRRP, VTP, Vines ARP, Vines Echo, Vines FRP, Vines ICP, Vines IP, Vines IPC, Vines LLC, Vines RTP, Vines SPP, WAP SIR, WBXML, WCCP, WCP, WHDLC, WHO, WINREG, WINS-Replication, WKSSVC, WLANCERTEXTN, WSP, WTLS, WTP, X.25, X.29, X11, X411, X420, X509AF, X509CE, X509IF, X509SAT, XDMCP, XML, XOT, XYPLEX, YHOO, YMSG, YPBIND, YPPASSWD, YPSERV, YPXFR, ZEBRA, ZIP, cds_solicit, cprpc_server, dc, dce_update, dicom, giFT, h221nonstd, h450, iFCP, iSCSI, iSNS, isup_thin, itunes, llb, message/http, nettl, rdaclif, roverride, rpriv, rs_attr_schema, rs_misc, rs_prop_acct, rs_prop_acl, rs_prop_attr, rs_prop_pgo, rs_prop_plcy, rs_pwd_mgmt, rs_repmgr, rsec_login, rss, sFlow, smil,
其他文章:
&script type=&text/javascript&&
google_ad_client = &pub-2877&;
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = &728x90_as&;
google_ad_channel = &&;
google_color_border = &E1771E&;
google_color_bg = &FFFFFF&;
google_color_link = &0000FF&;
google_color_text = &000000&;
google_color_url = &008000&;
&/script&&script type=&text/javascript&
src=&/pagead/show_ads.js&&
参考知识库
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
访问:1230095次
积分:15350
积分:15350
排名:第600名
原创:116篇
转载:527篇
译文:50篇
评论:121条
(1)(1)(1)(3)(3)(3)(1)(2)(1)(1)(1)(1)(1)(4)(4)(1)(1)(1)(1)(1)(1)(2)(3)(29)(22)(9)(11)(1)(8)(35)(26)(1)(3)(1)(1)(2)(4)(1)(1)(1)(1)(1)(9)(24)(89)(86)(85)(68)(76)(34)(22)(4)您所在位置: &
&nbsp&&nbsp&nbsp&&nbsp
无线局域网数据采集方法与安全检测技术研究.pdf63页
本文档一共被下载:
次 ,您可全文免费在线阅读后下载本文档。
文档加载中...广告还剩秒
需要金币:200 &&
你可能关注的文档:
··········
··········
STUDY OFWIRELESS LANDATA COLLECTIONMETHODS
SSTTUUDDYY OOFFWWIIRREELLEESSSS LLAANNDDAATTAA CCOOLLLLEECCTTIIOONNMMEETTHHOODDSS ANDSECURITYDETECTIONTECHNOLOGY AANNDDSSEECCUURRIITTYYDDEETTEECCTTIIOONNTTEECCHHNNOOLLOOGGYY A Dissertationsubmittedinfulfillment oftherequirementsofthedegree of AA DDiisssseerrttaattiioonnssuubbmmiitttteeddiinnffuullffiillllmmeenntt oofftthheerreeqquuiirreemmeennttssoofftthheeddeeggrreeee ooff MASTER OFPHILOSOPHY MMAASSTTEERR OOFFPPHHIILLOOSSOOPPHHYY from ffrroomm Shandong University of Scienceand Technology SShhaannddoonngg UUnniivveerrssiittyy ooff SScciieenncceeaanndd TTeecchhnnoollooggyy by bbyy LIUYinghui LLIIUUYYiinngghhuuii Supervisor: ResearcherWANGYinglong SSuuppeerrvviissoorr:: RReesseeaarrcchheerrWWAANNGGYYiinngglloonngg College ofInformation Scienceand Engineering CCoolllleeggee ooffIInnffoorrmmaattiioonn SScciieenncceeaanndd EEnnggiinneeeerriinngg May 2010 MMaayy 座机电话号码 声 明 本人呈交给山东科技大学的这篇硕士学位论文,除了所列参考文献和世所
公认的文献外,全部是本人在导师指导下的研究成果。该论文资料尚没有呈交
于其它任何学术机关作鉴定。 硕士生签名: 日 期: AFFIRMATION I declare that this dissertation, submitted in fulfillment of the requirements II ddeeccllaarree tthhaatt tthhiiss ddiisssseerrttaattiioonn,, ssuubbmmiitttteedd iinn ffuullffiillllmmeenntt ooff tthhee rreeqquuiirreemmeennttss
for the award of Masterof Philosophy in Shandong University of Science and
ffoorr tthhee aawwaarrdd ooff MMaasstteerrooff PPhhiilloossoopphhyy iinn SShhaannddoonngg UUnniivveerrssiittyy ooff SScciieennccee aanndd
Technology, is wholly my own work unless referenced of acknowledge. The
TTeecchhnnoollooggyy,, iiss wwhhoollllyy mmyy oowwnn wwoorrkk uunnlleessss rreeffeerreenncceedd ooff aacckknnoowwlleeddggee.. TThhee
document has not been submitted for qualification at any other academic
ddooccuummeenntt hhaass nnoott bbee
正在加载中,请稍后...君,已阅读到文档的结尾了呢~~
The wireless side of Wireshark - SharkFest
扫扫二维码,随身浏览文档
手机或平板扫扫即可继续访问
The wireless side of Wireshark - SharkFest
举报该文档为侵权文档。
举报该文档含有违规或不良信息。
反馈该文档无法正常浏览。
举报该文档为重复文档。
推荐理由:
将文档分享至:
分享完整地址
文档地址:
粘贴到BBS或博客
flash地址:
支持嵌入FLASH地址的网站使用
html代码:
&embed src='/DocinViewer--144.swf' width='100%' height='600' type=application/x-shockwave-flash ALLOWFULLSCREEN='true' ALLOWSCRIPTACCESS='always'&&/embed&
450px*300px480px*400px650px*490px
支持嵌入HTML代码的网站使用
您的内容已经提交成功
您所提交的内容需要审核后才能发布,请您等待!
3秒自动关闭窗口Immutable Page
More Actions:
Print View
Render as Docbook
Delete Cache
------------------------
Check Spelling
Like Pages
Local Site Map
------------------------
Rename Page
Delete Page
------------------------
Subscribe User
------------------------
Remove Spam
Revert to this revision
Package Pages
Sync Pages
------------------------
WLAN (IEEE 802.11) capture setup
The following will explain capturing on 802.11 wireless networks (). If you are only trying to capture network traffic between the machine running Wireshark or TShark and other machines on the network, are only interested in regular network data, rather than 802.11 management or control packets, and are not interested in radio-layer information about packets such as signal strength and data rates, you should be able to do this by capturing on the network interface through which the packets will be tran no special setup should be necessary.
(If you're trying to capture network traffic between processes running on the machine running Wireshark or TShark, i.e. network traffic from that machine to itself, you will need to capture on a loopback interface, if that' see .) If you're trying to capture network traffic that's not being sent to or from the machine running Wireshark or TShark, i.e. traffic between two or more other machines on an Ethernet segment, or are interested in 802.11 management or control packets, or are interested in radio-layer information about packets, you will probably have to capture in &monitor mode&.
This is discussed below. Without any interaction, capturing on WLAN's may capture only user data packets with &fake& Ethernet headers. In this case, you won't see any 802.11 management or control packets at all, and the 802.11 packet headers are &translated& by the network driver to &fake& Ethernet packet headers. A 802.11 LAN uses a &broadcast medium&, much like (the mostly obsolete shared) Ethernet. Compared to Ethernet, the 802.11 network is even &broader&, as the transmitted packets are not limited by the cable medium. That's one of the reasons why the 802.11 network adapters have two additional mechanisms to ignore unwanted packets at the receiving side: channels and SSID's. Conclusion: the packets you'll be capturing with default settings might be modified, and only a limited number of the packets transmitted through the WLAN. The following will provide some 802.11 network details, and will describe how to disable the translation/filtering and see what's &really& going on inside your WLAN. Unfortunately, changing the 802.11 capture modes is very platform/network adapter/driver/libpcap dependent, and might not be possible at all (Windows is very limited here).
Table of contents
Original content on this site is available under the GNU General Public License.
page for details.
Powered by
Please don't pee in the pool.帐号:密码:下次自动登录{url:/nForum/slist.json?uid=guest&root=list-section}{url:/nForum/nlist.json?uid=guest&root=list-section}
贴数:3&分页:秃秃鹫发信人: lookforward (lookforward), 信区: NetPRG
标&&题: 请教一下pcap包在wireshark下读出的时间戳问题
发信站: 水木社区 (Tue Aug&&7 12:01:47 2012), 转信 && 见附件。该数据包是某室内实际802.11 wlan网络运行时,进行捕捉的数据。从某网站下
我想请教的是,为什么捕捉出来的包,相邻的包时间戳都一样。而往后随着时间的增加,
时间戳不一样的,很多都是差异0.03s左右,请问是由于捕捉包时,tcpdump是定期周期
性的进行去捕捉包吗?(应该不是这样吧)
如果要获得更为准确的该包在网络中运行的时间(占据这个链路的时间),是应该看
Prism capture header中的MAC timestamp吗?
非常感激!
-- && ※ 来源:·水木社区 ·[FROM: 166.111.64.*] && 秃秃鹫发信人: lookforward (lookforward), 信区: NetPRG
标&&题: Re: 请教一下pcap包在wireshark下读出的时间戳问题
发信站: 水木社区 (Tue Aug&&7 20:31:18 2012), 站内 && 哦,谢谢,那大概明白了。
主要tcpdump(或者说wireshark)读出来的timestamp(图片中贴的那个),也是可以用C程序从结构体struct pcap_pkthdr的timeval ts中读出来的,所以我还以为这个timestamp信息是由原来的pcap包中就决定了,不知道原来还依赖于tcpdump的版本?
而prism header中的这个也是定义一个timestamp,读出来是和上面的timeval ts的微秒部分稍有差异。
那么所以概括就是,准确的时间应该是选取prism header中的而不是struct pcap_pkthdr中的,因为后者可能会因***原因而损失精度不一定准确?(不过我觉得不应该是因tcpdump而异啊,难道是因ubuntu上的pcap库而异?)
对这块不太懂,胡乱想的,还请指教
【 在 apo (yun) 的大作中提到: 】
: 这文档里不是清楚说了么:
: . mactime.data: the microsecond portion of the capture time
: . mactime.did: the second portion of the capture time
: ...................
&& -- && ※ 来源:·水木社区 newsmth.net·[FROM: 166.111.64.*]
炒瓜子发信人: apo (yun), 信区: NetPRG
标&&题: Re: 请教一下pcap包在wireshark下读出的时间戳问题
发信站: 水木社区 (Tue Aug&&7 21:01:29 2012), 站内 && 我没注意过pcap的格式。不过我记得官方手册里面明白明白提到这点了,说这个格式有可能有变化,不保证不同系统不同版本下的tcpdump读出来的时候保持原样精度。 && 【 在 lookforward (lookforward) 的大作中提到: 】
: 标&&题: Re: 请教一下pcap包在wireshark下读出的时间戳问题
: 发信站: 水木社区 (Tue Aug&&7 20:31:18 2012), 站内
: 哦,谢谢,那大概明白了。
: 主要tcpdump(或者说wireshark)读出来的timestamp(图片中贴的那个),也是可以用C程序从结构体struct pcap_pkthdr的timeval ts中读出来的,所以我还以为这个timestamp信息是由原来的pcap包中就决定了,不知道原来还依赖于tcpdump的版本?
: 而prism header中的这个也是定义一个timestamp,读出来是和上面的timeval ts的微秒部分稍有差异。
: 那么所以概括就是,准确的时间应该是选取prism header中的而不是struct pcap_pkthdr中的,因为后者可能会因***原因而损失精度不一定准确?(不过我觉得不应该是因tcpdump而异啊,难道是因ubuntu上的pcap库而异?)
: 对这块不太懂,胡乱想的,还请指教
: 【 在 apo (yun) 的大作中提到: 】
: : 这文档里不是清楚说了么:
: : . mactime.data: the microsecond portion of the capture time
: : . mactime.did: the second portion of the capture time
: : ...................
: ※ 来源:·水木社区 newsmth.net·[FROM: 166.111.64.*]
Software Is Hareder Than Hardware! &&&& ※ 来源:·水木社区 newsmth.net·[FROM: 123.122.64.*]
文章数:3&分页:

我要回帖

更多关于 capture是什么意思 的文章

 

随机推荐