[英]Whole packet length Scapy
I am capturing WiFi traffic with tcpdump using the parameter -s 100
(which means I am only capturing the headers of the packets).我正在使用参数
-s 100
使用 tcpdump 捕获 WiFi 流量(这意味着我只捕获数据包的标头)。
When I load the .pcap file and process it with Scapy I do:当我加载 .pcap 文件并使用 Scapy 处理它时,我会这样做:
pkts = rdpcap(pcapfile)
totalbytes = 0
for pkt in pkts:
totalbytes += len(pkt)
However, as I am truncating the capture, doing len(pkt)
will not give me the whole packet length ( frame length ), it will give me the captured packet length .但是,当我截断捕获时,执行
len(pkt)
不会给我整个数据包长度(帧长度),它会给我捕获的数据包长度。 How can I get the real packet length?我怎样才能得到真正的数据包长度?
Extra : as I have done in some occasions before, I open the pcap file in wireshark and search for the hex values of interest.额外:正如我之前在某些情况下所做的那样,我在wireshark中打开 pcap 文件并搜索感兴趣的十六进制值。 But in this case ( frame.len ) will show the value I am looking for, but I can't find the way wireshark obtains this real packet length without having the whole packet captured.
但在这种情况下( frame.len )将显示我正在寻找的值,但我无法找到wireshark在没有捕获整个数据包的情况下获取这个真实数据包长度的方式。
The rdpcap
function uses the PcapReader
class for reading packets. rdpcap
函数使用PcapReader
类来读取数据包。 Unfortunately this class discards the information you are looking for in the read_packet
method, even though it is to be found in the pcap file.不幸的是,这个类丢弃了你在
read_packet
方法中寻找的信息,即使它是在 pcap 文件中找到的。 So you have to use the RawPcapReader
directly.所以你必须直接使用
RawPcapReader
。
totalbytes = 0
for pkt, (sec, usec, wirelen) in RawPcapReader(pcapfile):
totalbytes += wirelen
If for some reason you don't want to use RawPcapReader, you can use the len
attribute for IPv4 packets.如果由于某种原因您不想使用 RawPcapReader,您可以对 IPv4 数据包使用
len
属性。
real_length = pkt[IP].len
truncated_length = len(pkt)
Strangely, the IPv6 layer in Scapy doesn't have the same attribute, but it does have an attribute called plen
which is the length of the payload:奇怪的是,Scapy 中的 IPv6 层没有相同的属性,但它确实有一个名为
plen
的属性,它是有效负载的长度:
payload_length = pkt[IPv6].plen
real_length = payload_length + 40
truncated_length = len(pkt)
With modern Scapy versions, the proper answer would be to use pkt.wirelen
.对于现代 Scapy 版本,正确的答案是使用
pkt.wirelen
。 This only exists in packets read from a pcap这仅存在于从 pcap 读取的数据包中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.