wireshark如何计算短帧数
How does wireshark calculate number of short frames
Statistics->Protocol Hierarchy
显示各种统计信息,包括短帧计数。 wireshark
如何计算这个,它认为什么是短帧?是不是和抓包时故意截断的包一样? (在这种情况下,struct pcap_pkthdr
的 caplen
字段将小于 len
,这是 IP 负载大小)。
然而,当我实现简单的应用程序(使用 libpcap
)来读取 pcap,并以这种方式计算(caplen 与 len)时,我的数字略高于 wireshark
报告的数字。
Wireshark 版本 2.2.6,捕获包含 TLS,即通过 TCP。 Wireshark ProtocolHierarchy 菜单报告 15240 个 SSL 数据包,以及这 15240 个中的 13640 个短帧。
How does wireshark count this, and what does it consider as short frames?
当 Wireshark 捕捉到 BoundsError
或 ScsiBoundsError
异常时,它会将帧标记为短帧。
proto_short = proto_register_protocol("Short Frame", "Short frame", "_ws.short");
来自epan/show_exception.c:81-104
case BoundsError:
{
gboolean display_info = TRUE;
....................................
if (display_info)
col_append_str(pinfo->cinfo, COL_INFO, "[Packet size limited during capture]");
proto_tree_add_protocol_format(tree, proto_short, tvb, 0, 0,
"[Packet size limited during capture: %s truncated]", pinfo->current_proto);
/* Don't record BoundsError exceptions as expert events - they merely
* reflect a capture done with a snapshot length too short to capture
* all of the packet
* (any case where it's caused by something else is a bug). */
}
Is it the same as packets that were intentionally truncated during capturing?
是的,应该是。但我要说的是,可能存在细微差别,因为 Wireshark 不会像您在应用程序中那样直接计算短帧,但计数取决于可能由于某些错误而不会抛出的异常。
(in this case caplen field of struct pcap_pkthdr would be less than len, which is IP payload size).
正确。
However, when I implemented simple application (use libpcap) to read pcap, and counted that way (caplen vs. len), my numbers are slightly higher than what wireshark reports.
它可能是 Wireshark 中的错误,也可能是您的代码中的错误。您可以使用 _ws.short
过滤器查看 Wireshark 中的所有短帧,然后尝试查找您的应用检测为短但 Wireshark 未检测到的帧。
Wireshark Version 2.2.6, capture contains TLS, i.e. over TCP
您的版本有点过时了。最新版本是 3.2.1
,因此请考虑升级或至少测试两个版本。
Statistics->Protocol Hierarchy
显示各种统计信息,包括短帧计数。 wireshark
如何计算这个,它认为什么是短帧?是不是和抓包时故意截断的包一样? (在这种情况下,struct pcap_pkthdr
的 caplen
字段将小于 len
,这是 IP 负载大小)。
然而,当我实现简单的应用程序(使用 libpcap
)来读取 pcap,并以这种方式计算(caplen 与 len)时,我的数字略高于 wireshark
报告的数字。
Wireshark 版本 2.2.6,捕获包含 TLS,即通过 TCP。 Wireshark ProtocolHierarchy 菜单报告 15240 个 SSL 数据包,以及这 15240 个中的 13640 个短帧。
How does wireshark count this, and what does it consider as short frames?
当 Wireshark 捕捉到 BoundsError
或 ScsiBoundsError
异常时,它会将帧标记为短帧。
proto_short = proto_register_protocol("Short Frame", "Short frame", "_ws.short");
来自epan/show_exception.c:81-104
case BoundsError:
{
gboolean display_info = TRUE;
....................................
if (display_info)
col_append_str(pinfo->cinfo, COL_INFO, "[Packet size limited during capture]");
proto_tree_add_protocol_format(tree, proto_short, tvb, 0, 0,
"[Packet size limited during capture: %s truncated]", pinfo->current_proto);
/* Don't record BoundsError exceptions as expert events - they merely
* reflect a capture done with a snapshot length too short to capture
* all of the packet
* (any case where it's caused by something else is a bug). */
}
Is it the same as packets that were intentionally truncated during capturing?
是的,应该是。但我要说的是,可能存在细微差别,因为 Wireshark 不会像您在应用程序中那样直接计算短帧,但计数取决于可能由于某些错误而不会抛出的异常。
(in this case caplen field of struct pcap_pkthdr would be less than len, which is IP payload size).
正确。
However, when I implemented simple application (use libpcap) to read pcap, and counted that way (caplen vs. len), my numbers are slightly higher than what wireshark reports.
它可能是 Wireshark 中的错误,也可能是您的代码中的错误。您可以使用 _ws.short
过滤器查看 Wireshark 中的所有短帧,然后尝试查找您的应用检测为短但 Wireshark 未检测到的帧。
Wireshark Version 2.2.6, capture contains TLS, i.e. over TCP
您的版本有点过时了。最新版本是 3.2.1
,因此请考虑升级或至少测试两个版本。