pcap帧内容到Erlang中的字符
我有以下格式的pcap帧内容:pcap帧内容到Erlang中的字符,erlang,pcap,Erlang,Pcap,我有以下格式的pcap帧内容: [{frame,1, {1491,213,861700}, 87,87,false, <<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,18, 106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,0,0,2, 0,0,0,0,0,0,4,95,105,112,
[{frame,1,
{1491,213,861700},
87,87,false,
<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,18,
106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,0,0,2,
0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,97,108,0,
0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>},
{ethernet,<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,
18,106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,
0,0,2,0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,
97,108,0,0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>}]
线鲨式包解剖
很久以前,我在处理pcap数据,并编写代码来解码各种常见的数据包类型
您可以使用enet\u codec:decode(eth,PktData,[{decode\u types,all}])
将pcap帧中的数据转换为可读数据包:
Data = [{frame,1,
{1491,213,861700},
87,87,false,
<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,18,
106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,0,0,2,
0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,97,108,0,
0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>},
{ethernet,<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,
18,106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,
0,0,2,0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,
97,108,0,0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>}].
rr("include/enet_types.hrl"). % Load record definitions into the shell
PktData = element(7, hd(Data)). % Grab the ethernet frame binary
rp(enet_codec:decode(eth, element(7, hd(Data)), [{decode_types, all}])). % Decode and print
#eth{src = "00:50:56:C0:00:08",dst = "01:00:5E:00:00:FB",
type = ipv4,
data = #ipv4{vsn = 4,hlen = 5,diffserv = 0,totlen = 73,
id = 17452,flags = [],frag_offset = 0,ttl = 255,proto = udp,
hdr_csum = correct,
src = <<172,16,216,1>>,
dst = <<224,0,0,251>>,
options = [],
data = #udp{src_port = <<"mdns">>,dst_port = <<"mdns">>,
length = 53,
csum = {incorrect,35598},
data = [{dns_header,0,0,0,0,0,0,0,0,0},
[{dns_query,"_ipp._tcp.local",ptr,in},
{dns_query,"_ipps._ipps._tcp.local",ptr,in}],
[],[],[]]}}}
线鲨式包解剖
很久以前,我在处理pcap数据,并编写代码来解码各种常见的数据包类型
您可以使用enet\u codec:decode(eth,PktData,[{decode\u types,all}])
将pcap帧中的数据转换为可读数据包:
Data = [{frame,1,
{1491,213,861700},
87,87,false,
<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,18,
106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,0,0,2,
0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,97,108,0,
0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>},
{ethernet,<<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,
18,106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,
0,0,2,0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,
97,108,0,0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>}].
rr("include/enet_types.hrl"). % Load record definitions into the shell
PktData = element(7, hd(Data)). % Grab the ethernet frame binary
rp(enet_codec:decode(eth, element(7, hd(Data)), [{decode_types, all}])). % Decode and print
#eth{src = "00:50:56:C0:00:08",dst = "01:00:5E:00:00:FB",
type = ipv4,
data = #ipv4{vsn = 4,hlen = 5,diffserv = 0,totlen = 73,
id = 17452,flags = [],frag_offset = 0,ttl = 255,proto = udp,
hdr_csum = correct,
src = <<172,16,216,1>>,
dst = <<224,0,0,251>>,
options = [],
data = #udp{src_port = <<"mdns">>,dst_port = <<"mdns">>,
length = 53,
csum = {incorrect,35598},
data = [{dns_header,0,0,0,0,0,0,0,0,0},
[{dns_query,"_ipp._tcp.local",ptr,in},
{dns_query,"_ipps._ipps._tcp.local",ptr,in}],
[],[],[]]}}}
将二进制整数保留列表转换为实表示方式Wireshark表示的方式--发布您想要的结果如何?将二进制整数保留列表转换为实表示方式Wireshark表示的方式--发布您想要的结果如何?谢谢您的回答。但是,我无法将其完全转换为以下格式(如Wireshark)。0x0000:45000049 442c 0000 ff11 126a ac10 d801 E..ID….j。。。。0x0010:e000 00fb 14e9 14e9 0035 8b0e 0000……5。。。。。。0x0020:0002 0000 0000 045f 6970 7004 5f74……。\u ipp.\u 0x0030:6370 056c 6f63 616c 0000 0C000 0105 5f69 cp.local……\u i 0x0040:7070 73c0 1100 0C000 01 pps……哦-您想要原始字节的十六进制转储还是什么
enet\u if\u dump:hextblock(PktData)
执行偏移和十六进制打印位。您可以扩展该代码,在每行十六进制之后打印ascii版本,以获得您在注释中提到的格式。谢谢您的回答。但是,我无法将其完全转换为以下格式(如Wireshark)。0x0000:45000049 442c 0000 ff11 126a ac10 d801 E..ID….j。。。。0x0010:e000 00fb 14e9 14e9 0035 8b0e 0000……5。。。。。。0x0020:0002 0000 0000 045f 6970 7004 5f74……。\u ipp.\u 0x0030:6370 056c 6f63 616c 0000 0C000 0105 5f69 cp.local……\u i 0x0040:7070 73c0 1100 0C000 01 pps……哦-您想要原始字节的十六进制转储还是什么enet\u if\u dump:hextblock(PktData)
执行偏移和十六进制打印位。您可以扩展该代码,在每行十六进制之后打印ascii版本,以获得您在注释中提到的格式。
Pkt = <<1,0,94,0,0,251,0,80,86,192,0,8,8,0,69,0,0,73,68,44,0,0,255,17,
18,106,172,16,216,1,224,0,0,251,20,233,20,233,0,53,139,14,0,0,0,
0,0,2,0,0,0,0,0,0,4,95,105,112,112,4,95,116,99,112,5,108,111,99,
97,108,0,0,12,0,1,5,95,105,112,112,115,192,17,0,12,0,1>>.
% This gives you a giant iolist with the formatted Wireshark style hexdump.
enet_if_dump:hexdump(Pkt).
% To inspect it you need to then do something like:
io:format("~s~n", [enet_if_dump:hexdump(Pkt)]). % which produces:
0x0000: 0100 5e00 00fb 0050 56c0 0008 0800 4500 ..^....PV.....E.
0x0010: 0049 442c 0000 ff11 126a ac10 d801 e000 .ID,.....j......
0x0020: 00fb 14e9 14e9 0035 8b0e 0000 0000 0002 .......5........
0x0030: 0000 0000 0000 045f 6970 7004 5f74 6370 ......._ipp._tcp
0x0040: 056c 6f63 616c 0000 0c00 0105 5f69 7070 .local......_ipp
0x0050: 73c0 1100 0c00 1 s......