首先,感谢 Stack Overflow 社区。我在这里找到了很多称职的答案,所以我将尝试提出我自己的问题。
我有一个 WinPcap 示例程序,它将我的网络流量“转储”为 Hexcode。 我做了一个简单的服务器/客户端对,它定期发送一些文本(22 字节)。
问题:
在 C++ 中解析此十六进制转储并生成类似于 Wireshark 或 phd 的输出(仅在控制台中)。
在阅读了一些 TCP/IP 引用资料 (1) 之后,我无法确定所有字节的“值” 所以例如有 76 个字节,向后读:
- 前 22 个字节是我的数据;
- 那么,TCP头有20个;
- IP header 为 20,然后是其他一些字节,我不知道它们代表什么。我对 IP 协议(protocol)不是很了解。
这是一个十六进制的例子:
08 00 27 b3 23 63 f4 6d 04 2e 68 24 08 00 45 00
00 3e 31 c4 40 00 80 06 45 9e c0 a8 01 03 c0 a8
01 04 0b 27 04 d2 b0 f7 47 61 28 6c fd a7 50 18
fa f0 8e a0 00 00 48 61 6c 6c 6f 20 64 61 73 20
69 73 74 20 65 69 6e 20 54 65 73 74
问题:
谁能告诉我这些第一个字节是做什么用的,以及
在哪里可以获得网络流量如何构成的(简单)描述?
(1) TCP Reference , IP Reference
最佳答案
我用了Packet Dump Decode并将其解码为以下数据...pdd
将十六进制转储转换为可以在 wireshark 中使用的内容...然后我从 wireshark 信息向后工作以分解数据包...
Ethernet Header
---------------
08 00 27 b3 23 63 f4 6d 04 2e 68 24 08 00
IP Header
---------
45 00 00 3e 31 c4 40 00 80 06 45 9e
c0 a8 01 03 c0 a8 01 04
TCP Header
----------
0b 27 04 d2 b0 f7 47 61 28 6c fd a7 50 18
fa f0 8e a0 00 00
TCP Data Payload
----------------
48 61 6c 6c 6f 20 64 61 73 20
69 73 74 20 65 69 6e 20 54 65 73 74
还有完整的 wireshark 解码...
Frame 1: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
WTAP_ENCAP: 1
Arrival Time: Nov 24, 2012 07:12:54.000000000 Central Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1353762774.000000000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 76 bytes (608 bits)
Capture Length: 76 bytes (608 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp:data]
Ethernet II, Src: AsustekC_2e:68:24 (f4:6d:04:2e:68:24), Dst: CadmusCo_b3:23:63 (08:00:27:b3:23:63)
Destination: CadmusCo_b3:23:63 (08:00:27:b3:23:63)
Address: CadmusCo_b3:23:63 (08:00:27:b3:23:63)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: AsustekC_2e:68:24 (f4:6d:04:2e:68:24)
Address: AsustekC_2e:68:24 (f4:6d:04:2e:68:24)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: 192.168.1.4 (192.168.1.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 62
Identification: 0x31c4 (12740)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x459e [correct]
[Good: True]
[Bad: False]
Source: 192.168.1.3 (192.168.1.3)
Destination: 192.168.1.4 (192.168.1.4)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: msrp (2855), Dst Port: search-agent (1234), Seq: 1, Ack: 1, Len: 22
Source port: msrp (2855)
Destination port: search-agent (1234)
[Stream index: 0]
Sequence number: 1 (relative sequence number)
[Next sequence number: 23 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 64240
[Calculated window size: 64240]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x8ea0 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[Bytes in flight: 22]
Data (22 bytes)
0000 48 61 6c 6c 6f 20 64 61 73 20 69 73 74 20 65 69 Hallo das ist ei
0010 6e 20 54 65 73 74 n Test
Data: 48616c6c6f20646173206973742065696e2054657374
[Length: 22]
关于c++ - 如何解析网络流量的十六进制代码,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/13541227/