如何从.pcap文件中获取随机数据包?

时间:2017-11-02 03:47:03

标签: shell wireshark pcap editcap

我正在尝试从<app-toast [message]="toast.message"></app-toast> <div class="card" *ngIf="!isEditing"> <h4 class="card-header">Add new cheat</h4> <form [formGroup]="addCheatForm" (ngSubmit)="addCheat()"> <div class="form-group"> <input class="form-control" type="text" name="title" formControlName="title" placeholder="Title"> </div> <div class="form-group"> <input class="form-control" type="text" name="code" formControlName="code" placeholder="Code"> </div> <div class="form-group"> <input class="form-control" type="text" name="description" formControlName="description" placeholder="Description"> </div> <div class="form-group"> <select name="name" class="form-control" [ngModel] = "name" formControlName="name"> <option value="" selected disabled>Name</option> <option *ngFor="let type of cheaterNames" [value]="type">{{type}}</option> </select> <input class="form-control" type="text" name="name" [ngModel] = "selectedName" formControlName="name" placeholder="Or add Name"> </div> <button class="btn btn-primary" type="submit" [disabled]="!addCheatForm.valid"><i class="fa fa-floppy-o"></i> Add</button> </form> 文件中获取随机数据包子集。为此,我编写了以下shell脚本:

.pcap

但是,large_number=150000 smaller_number=10000 selected_packet_numbers=$(shuf -i 0-"$large_number" -n "$smaller_number") editcap -r capture.pcap capture-selected.pcap $selected_packet_numbers 给出了以下错误:

editcap

使用shell循环会花费不合理的时间。

如何从Out of room for packet selections 文件中选择数据包的随机子集?

2 个答案:

答案 0 :(得分:1)

目前,您需要减少smaller_number,因此其值严格小于512.如果您想要更多的数据包选择,您可能需要更改MAX_SELECTIONS的值。 editcap.c源代码并自行编译。

答案 1 :(得分:1)

正如Christopher Maynard所解释的那样,使用editcap一次最多只能选择512个数据包。 This thread on Wireshark mailing list有更多信息。

如果您不想更改editcap的来源,您可以批量选择数据包。以下脚本生成10000个随机数,然后按批次512选择数据包。生成的.pcap文件最后合并为单个.pcap文件。

#!/bin/bash
large_number=150000
smaller_number=10000
selected_pkt_numbers=$(shuf -i 0-"$large_number" -n "$smaller_number")
for j in `seq 0 512 $smaller_number`; do
    endrange=$((j+512))
    if [ "$endrange" -gt "$smaller_number" ]; then
        endrange=$smaller_number
    fi
    # Selects numbers $j to $endrange from the generated random numbers:
    echo "$j - $endrange"
    pkt_numbers=$(echo $selected_pkt_numbers | awk -v start="$j" -v end="$endrange" '{ out=""; for (i=start+1; i<=end; i++) out=out" "$i; print out}')
    editcap -r $1 $2-$j.pcap $pkt_numbers
done
mergecap -w $2.pcap `ls $2-*.pcap`

使用它:

$ ./pcap-random.sh input-file.pcap output-file
0 - 512
512 - 1024
[...]
9216 - 9728
9728 - 10000
$
$
$ capinfos output-file.pcap 
File name:           output-file.pcap
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Packet size limit:   inferred: 58 bytes
Number of packets:   10 k
[...]

与修改editcap的源相比,该脚本需要更多的时间来执行。我还没有测量到多少。使用你给出的参数需要大约11秒才能执行。

相关问题
最新问题