问题描述

我正在尝试识别我收到的数据包的以太类型.以太类型 ID 为 608，在 Ethertype.h(libpcap 1.2.1) 中没有对应的定义.收到的大多数数据包的类型为 8，这在 Ethertype.h 中也没有相应的定义.有没有人知道这背后的原因可能是什么，或者我应该联系 TCPDump 并提供错误报告.

I am attempting to identify the ether type of a packet that I am receiving. The ether type ID is 608 and has no corresponding definition in Ethertype.h(libpcap 1.2.1). The majority of the packets received have an either type of 8 which again has no corresponding definition in Ethertype.h. Does anyone have any ideas of what the cause may be behind this or should I contact TCPDump with an error report.

推荐答案

pcap_datalink() 在您正在捕获的 pcap_t 上的返回值是多少?

What is the return value of pcap_datalink() on the pcap_t on which you're capturing?

如果不是 DLT_EN10MB(值为 1)，则您的数据包不是以太网数据包，您不应将它们解析为以太网数据包.

If it's not DLT_EN10MB (which has the value 1), your packets aren't Ethernet packets, and you shouldn't parse them as Ethernet packets.

如果是DLT_EN10MB，那么是十六进制608还是十进制608?如果是十进制 608，则是长度字段而不是类型字段.这同样适用于 8，它是相同的十进制或十六进制，因此是长度值而不是类型值.

If it is DLT_EN10MB, then is that hex 608 or decimal 608? If it's decimal 608, it's a length field rather than a type field. The same applies to 8, which is the same decimal or hex and would thus be a length value rather than a type value.

这篇关于PCAP 以太网类型返回的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！