作者:潮人搭配师er氵ic_161 | 来源:互联网 | 2023-09-10 22:08
WeresniffingpacketsusinglibpcaponlinuxTheheaderwegetoneachpacketlookslike:我们在linux上
We're sniffing packets using libpcap on linux The header we get on each packet looks like:
我们在linux上使用libpcap来嗅探数据包,每个数据包的头看起来是这样的:
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
Now, It is my understanding that caplen is the length of the data we have captured while len is the length of the packet on the wire. In some cases (e.g. when setting the snaplen too low when opening the pcap device) we might capture only parts of the packet, that length will be 'caplen', while 'len' is the original length. Thus, caplen should be equal to or less than len, but never greater than len.
我的理解是,caplen是我们捕获的数据的长度,len是连接上数据包的长度。在某些情况下(例如,当打开pcap设备时将snaplen设置得太低时),我们可能只捕获包的一部分,该长度将是“caplen”,而“len”是原始长度。因此,caplen应该等于或小于len,但不能大于len。
Is that a proper understanding ? We're seing caplen > len on some machines
这是正确的理解吗?我们要在一些机器上安装caplen > len
3 个解决方案