RFC1761 - Snoop Version 2 Packet Capture File Format, FEBRUARY 1995
本备忘录的状态
本备忘录为互联网社区提供帮助信息。 本备忘录不作为任何类型的互联网标准。 本备忘录的分发不受限制。
Status of this Memo
This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
摘要
本文介绍了 Sun 公司开发的数据包监控和捕获程序 "snoop "所使用的文件格式。 提供本文是为了使人们能够编写兼容的程序来生成和解释 snoop 数据包捕获文件。
Abstract
This paper describes the file format used by "snoop", a packet monitoring and capture program developed by Sun. This paper is provided so that people can write compatible programs to generate and interpret snoop packet capture files.
1. Introduction [ 介绍 ]
事实证明,捕获、显示和解释穿越网络的数据包的工具在调试网络问题时非常有用。 捕获数据包并将其存储起来以备日后分析的能力使人们能够将收集网络问题信息和分析这些信息的任务分离开来。Sun 公司开发的 "snoop "程序能够捕获数据包并将其存储到文件中,还能解释存储在捕获文件中的数据包。 本 RFC 描述了窥探程序用于存储捕获数据包的文件格式。 撰写本文的目的是让其他人可以编写程序来解释由 snoop 生成的捕获文件,或创建可由 snoop 解释的捕获文件。
The availability of tools to capture, display and interpret packets traversing a network has proven extremely useful in debugging networking problems. The ability to capture packets and store them for later analysis allows one to de-couple the tasks of collecting information about a network problem and analysing that information. The "snoop" program, developed by Sun, has the ability to capture packets and store them in a file, and can interpret the packets stored in capture files. This RFC describes the file format that the snoop program uses to store captured packets. This paper was written so that others may write programs to interpret the capture files generated by snoop, or create capture files that can be interpreted by snoop.
2. File Format [ 文件格式 ]
窥探数据包捕获文件是一个数组,结构如下:
The snoop packet capture file is an array of octets structured as follows:
+------------------------+
| |
| File Header |
| |
+------------------------+
| |
| Packet Record |
~ Number 1 ~
| |
+------------------------+
. .
. .
. .
+------------------------+
| |
| Packet Record |
~ Number N ~
| |
+------------------------+
文件头是一个固定长度的字段,包含数据包文件的一般信息及其所含数据包记录的格式。 文件头字段后是一个或多个长度可变的数据包记录字段。 每个数据包记录字段包含一个捕获数据包的数据。
The File Header is a fixed-length field containing general information about the packet file and the format of the packet records it contains. One or more variable-length Packet Record fields follow the File Header field. Each Packet Record field holds the data of one captured packet.
3. File Header [ 文件头 ]
文件头的结构如下:
The structure of the File Header is as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Identification Pattern +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version Number = 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Datalink Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Identification Pattern: [ 识别模式 ]
一个 64 位(8 个字节)数据结构,用于将文件识别为窥探数据包捕获文件。 识别模式由 8 个字节组成:
A 64-bit (8 octet) pattern used to identify the file as a snoop packet capture file. The Identification Pattern consists of the 8 hexadecimal octets:
这是 ASCII 字符串 "snoop",后面是三个空字节。
This is the ASCII string "snoop" followed by three null octets.
Version Number: [ 版本号 ]
一个 32 位(4 个字节)的无符号整数值,代表正在使用的数据包捕获文件的版本。 本文档描述的是版本号 2(版本号 1 用于早期实施,现已过时)。
A 32-bit (4 octet) unsigned integer value representing the version of the packet capture file being used. This document describes version number 2. (Version number 1 was used in early implementations and is now obsolete.)
Datalink Type: [ 数据链路类型 ]
一个 32 位(4 个字节)字段,用于标识后面的数据包记录中使用的数据链路标头类型。数据链路类型代码列于下表:
A 32-bit (4 octet) field identifying the type of datalink header used in the packet records that follow. The datalink type codes are listed in the table below:
Datalink Type Code
------------- ----
IEEE 802.3 0
IEEE 802.4 Token Bus 1
IEEE 802.5 Token Ring 2
IEEE 802.6 Metro Net 3
Ethernet 4
HDLC 5
Character Synchronous 6
IBM Channel-to-Channel 7
FDDI 8
Other 9
Unassigned 10 - 4294967295
4. Packet Record Format [ 数据包记录格式 ]
每个数据包记录包含一个数据包的部分或完整副本,以及该数据包的一些描述性信息。 数据包可能会被截断,以限制数据包文件中存储的数据量。 此外,数据包记录还可以填充,以便与机器边界对齐。每个数据包记录包含 24 个字节的数据包描述信息、长度可变的数据包数据和一个可选的填充字段。描述信息的结构是六个 32 位(4 字节)整数值。
Each packet record holds a partial or complete copy of one packet as well as some descriptive information about that packet. The packet may be truncated in order to limit the amount of data to be stored in the packet file. In addition, the packet record may be padded in order for it to align on a convenient machine-dependent boundary. Each packet record holds 24 octets of descriptive information about the packet, followed by the packet data, which is variable-length, and an optional pad field. The descriptive information is structured as six 32-bit (4-octet) integer values.
数据包记录的结构如下:
The structure of the packet record is as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Included Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet Record Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cumulative Drops |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Timestamp Seconds |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Timestamp Microseconds |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. .
. Packet Data .
. .
+ +- - - - - - - -+
| | Pad |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Original Length [ 原始长度 ]
32 位无符号整数,表示通过网络接收到的捕获数据包的长度(以字节为单位)。
32-bit unsigned integer representing the length in octets of the captured packet as received via a network.
Included Length [ 包含长度 ]
32 位无符号整数,表示数据包数据字段的长度。 这是包含在此数据包记录中的捕获数据包的字节数。如果接收的数据包被截断,"包含长度 "字段将小于 "原始长度 "字段。
32-bit unsigned integer representing the length of the Packet Data field. This is the number of octets of the captured packet that are included in this packet record. If the received packet was truncated, the Included Length field will be less than the Original Length field.
Packet Record Length [ 数据包记录长度 ]
32 位无符号整数,表示此数据包记录的总长度(以八位字节为单位)。 这包括 24 个字节的描述性信息、数据包数据字段的长度和填充字段的长度。
32-bit unsigned integer representing the total length of this packet record in octets. This includes the 24 octets of descriptive information, the length of the Packet Data field, and the length of the Pad field.
Cumulative Drops [ 累计丢包数 ]
32 位无符号整数,表示创建数据包文件的系统从文件中第一条数据包记录到这条记录之间丢失的数据包数量。 数据包丢失的原因可能是捕获系统资源不足或其他原因。 注意:有些实现不具备计算丢失数据包的能力。 这些实现可能会将累计丢包值设为零。
32-bit unsigned integer representing the number of packets that were lost by the system that created the packet file between the first packet record in the file and this one. Packets may be lost because of insufficient resources in the capturing system, or for other reasons. Note: some implementations lack the ability to count dropped packets. Those implementations may set the cumulative drops value to zero.
Timestamp Seconds [ 时间戳 秒 ]
32 位无符号整数,表示数据包到达的时间(自 1970 年 1 月 1 日起,以秒为单位)。
32-bit unsigned integer representing the time, in seconds since January 1, 1970, when the packet arrived.
Timestamp Microseconds [ 时间戳 微秒 ]
32 位无符号整数,表示数据包到达时间的微秒值。
32-bit unsigned integer representing microsecond resolution of packet arrival time.
Packet Data [ 数据包 ]
长度可变的字段,包含从数据链路头开始捕获的数据包。 文件头的数据链路类型字段可用于确定如何解码数据链路包头。 数据包数据字段的长度在包含长度字段中给出。
Variable-length field holding the packet that was captured, beginning with its datalink header. The Datalink Type field of the file header can be used to determine how to decode the datalink header. The length of the Packet Data field is given in the Included Length field.
Pad [ 填充 ]
长度可变的字段,包含 0 个或多个字节,用于将数据包记录填充到合适的边界。
Variable-length field holding zero or more octets that pads the packet record out to a convenient boundary.
5. Data Format [ 数据格式 ]
所有整数值都按大端顺序存储,高有效位在前。
All integer values are stored in "big-endian" order, with the high-order bits first.
6. Security Considerations [ 安全考虑 ]
本备忘录不讨论安全问题。
Security issues are not discussed in this memo.
参考:
1,RFC
Information on RFC 1761 » RFC Editor
2,IETF (Internet Engineering Task Force)
RFC 1761 - Snoop Version 2 Packet Capture File Format