Java parsing Pcap files (2)
@author: Jingdai
@date: 2021.03.11
Previously introduced the structure of the Pcap file and analyzed the Global Header and Packet Header of the Pcap file. The next step is to analyze the Packet Data, which is the frame of the data link layer.
Data link layer analysis
The Packet Data of the Pcap packet is the frame of the data link layer, and the number of bytes of the corresponding Packet Data data can be known according to the capLen field in the previous Packet Header, so that it can be read. Here we only use Ethernet frames as an example for analysis. Most of the packets captured by Wireshark are also Ethernet frames. The following figure shows the frame structure of Ethernet.
It should be noted that the Ethernet frame of Packet Data here does not have a preamble and FCS. The reason can be referred to this blog , so the Ethernet frame header is fixed at 14 bytes, 6 bytes of destination MAC address, 6 The source MAC address of the byte and the protocol type of 2 bytes. If the value of the protocol type field is 0x0800, it means that the upper layer protocol is IP.
Here I do not resolve the source MAC address and destination MAC address, because it is useless for my experiment, here I only need the type of upper layer protocol.
Then create a class FrameHeader based on this, the code is as follows.
package com.jingdai.pcapanalyzer.entity.format;
/**
* 帧头(Ethernet Header)
*/
public class FrameHeader {
public static final int PROTOCOL_IP = 2048;
private int protocol;
public int getProtocol() {
return protocol;
}
public void setProtocol(int protocol) {
this.protocol = protocol;
}
public FrameHeader() {
}
}
The code to be parsed at the same time is as follows.
public FrameHeader parseFrameHeader(byte[] frameHeaderBuffer) {
FrameHeader frameHeader = new FrameHeader();
// 目的MAC地址、源MAC地址没用,越过
byte[] protocolBuffer = Arrays.copyOfRange(frameHeaderBuffer, 12, 14);
int protocol = DataUtils.byteArray2Int(protocolBuffer, 2);
frameHeader.setProtocol(protocol);
return frameHeader;
}
The classes for parsing IP packets and TCP segments later are similar to the parsing code, so I won’t put the code. Finally, I will post the link to all the code of the project for your reference.
IP packet analysis
In the Packet Data data, remove the frame header analyzed in the previous section, and the rest is the IP data packet, that is, the IP packet is the data part of the Ethernet frame. The following figure shows the structure of the IP packet.
It is known from the figure that the length of the header of the IP packet is not fixed. You can get the length of the IP header from half of the first byte of the IP packet. Note that the unit is 4 bytes, and then intercept the corresponding length according to this length to perform the IP header Parsing.
TCP data segment analysis
After removing the IP header, if the upper layer protocol of the IP packet is TCP, then the TCP data segment will be parsed (UDP is simpler, just change the code slightly). The following figure shows the structure of the TCP data segment.
As shown in the figure, the length of the header of the TCP data segment is not fixed. The data offset in the figure is equivalent to the length of the header. Note that the unit is 4 bytes, and then intercept the corresponding length according to this value to analyze the TCP header.
project address
reference
- Xie Xiren Computer Network (7th Edition)