我正在使用 C 语言并使用 pcap 库来分析一个 cap 文件,该文件包含traceroute执行期间发送/接收的数据包。我遇到的问题是识别从traceroute发送/接收的数据包,因为 cap 文件也包括其他数据包。
在尝试确定任何给定数据包是否来自traceroute时,我可以检查任何特定标准吗?还是这是不可能的?
感谢您提供的任何帮助/建议。
$ man traceroute
TRACEROUTE(8) BSD System Manager's Manual TRACEROUTE(8)
NAME
traceroute -- print the route packets take to network host
...
-I Use ICMP ECHO instead of UDP datagrams. (A synonym for "-P
icmp").
...
This program attempts to trace the route an IP packet would follow to
some internet host by launching UDP probe packets with a small ttl (time
to live) then listening for an ICMP "time exceeded" reply from a gateway.
We start our probes with a ttl of one and increase by one until we get an
ICMP "port unreachable" (which means we got to "host") or hit a max
(which defaults to net.inet.ip.ttl hops & can be changed with the -m
flag). Three probes (changed with -q flag) are sent at each ttl setting
and a line is printed showing the ttl, address of the gateway and round
trip time of each probe. If the probe answers come from different gate-
ways, the address of each responding system will be printed. If there is
no response within a 5 sec. timeout interval (changed with the -w flag),
a "*" is printed for that probe.
We don't want the destination host to process the UDP probe packets so
the destination port is set to an unlikely value (if some clod on the
destination is using that value, it can be changed with the -p flag).
因此,默认情况下,跟踪路由数据包是发送到某个随机端口的UDP数据包;这使得它们很难与其他流量区分开来。
如果有人使用 -I 选项,它将使用 ICMP ECHO 数据包,这些数据包更容易与其他流量区分开来,但与来自"ping"命令的流量不容易区分。
您可以尝试查找具有小 TTL 的数据包。
程序跟踪路由通过发送具有递增 IP TTL 字段的 UDP/ICMP 数据包来工作。与典型应用程序将发送的字段相比,这些 IP TTL 字段通常非常小(在我的字段中是 64)。
因此,如果您使用过滤器捕获
ip.ttl <20
您可能会收到这些数据包(您可以调整上述过滤器中的数字),请记住,如果您靠近运行跟踪路由程序的主机,您甚至可以通过"ip.ttl <5"捕获它。