强制TCPDump用PCAP而不是PCAP-NG格式编写。

Question

我正在Mac上运行tcpdump，我注意到它以PCAP格式保存文件(前4个字节是0A 0D 0D 0A)。有没有办法强迫它使用旧的PCAP？

软件版本：

tcpdump version 4.3.0 -- Apple version 56
libpcap version 1.3.0 - Apple version 41

ps。我不确定这是否与TCPDump或libpcap有关。

Answer 1

小牛的tcpdump手册页面上写着：

   -i     Listen on interface.

          If  the  -D flag is supported, an interface number as printed by
          that flag can be used as the interface argument.

          On Darwin systems version 13 or later,  when  the  interface  is
          unspecified,  tcpdump  will  use  a  pseudo interface to capture
          packets  on  a  set  of  interfaces  determined  by  the  kernel
          (excludes by default loopback and tunnel interfaces).

          Alternatively,  to capture on more than one interface at a time,
          one may use "pktap" as the interface parameter  followed  by  an
          optional  list  of  comma  separated interface names to include.
          For example, to capture on the loopback and en0 interface:

                 tcpdump -i pktap,lo0,en0

          An interface argument of "all" or "pktap,all"  can  be  used  to
          capture packets from all interfaces, including loopback and tun-
          nel interfaces.

          A pktap pseudo interface provides for packet metadata using  the
          default  PKTAP data link type and files are written in the Pcap-
          ng file format.  The RAW data link type must be used to force to
          use  the legacy pcap-savefile(5) file format with a ptkap pseudo
          interface.  Note that captures on a ptkap pseudo interface  will
          not be done in promiscuous mode.

          An  interface argument of "iptap" can be used to capture packets
          from at the IP layer.  This capture packets as they  are  passed
          to  the  input and output routines of the IPv4 and IPv6 protocol
          handlers of the networking stack.  Note that captures  will  not
          be done in promiscuous mode.

因此，您需要指定要捕获的接口。

请注意，OS的版本可以追溯到Lion，较新版本的FreeBSD/NetBSD/蜻蜓BSD，以及许多Linux发行版的更新版本都包括libpcap1.1.1或更高版本，这意味着使用libpcap读取捕获文件的程序可以读取许多pcap文件。Wireshark也能读到几个版本。

Answer 2

还有一个应用程序CocoaPacketAnalyzer，它读取pcap，但不是pcap文件。有一个网页https://pcapng.com，它将把一个小的pcap文件转换成旧的格式。但是，如果您正在捕获密码或web服务器交互，或者通常关心安全性，请注意在互联网上发布数据包捕获！