Hello,
I am using libpcap to build a sniffer.
I define an ethernet header as follows :
/* Ethernet header */
struct sniff_ethernet {
u_char ether_dhost[ETHER_ADDR_LEN]; // Destination host address
u_char ether_shost[ETHER_ADDR_LEN]; // Source host address
u_short ether_type; // IP? ARP? RARP? etc
};
The packets I sniff are then encapsulated in the standard way: the ethernet header precedes the Ip header, then follows the TCP header and then the payload. Up to here, nothing strange, I just got inspired by the sniffer code that is available on the web and that appeared several times in this forum. In my sniffer code I open a sniffing session in the standard libpcap way, everything seems to run smoothly.
I run the sniffer on a redhat 7.3 Linux. I use libnet libraries to generate packets that I sniff, so that I can easily debug what happens.
If I put an ARP packet on the wire, the sniffer will sniff a packet that contains value 1644 in the ethernet type field of the structure sniff_ethernet described above.
If I read ethernet encapsulation specifications, I find out that the value corresponding to a ethernet packet carrying ARP is 0x0806. If I invert the two bytes of this value I obtain 0x0608 which is 1644 in decimal notation. So that is obviously a problem in the byte order. If I sniff ARP packets using ethereal, the ethernet type value is correctly set to 0x0806, so that means that I have a byte order issue. I am not very familiar with this kind of issues, can anyone please explain me what is going on and possibly give me a hint on what is the correct way to handle this kind of issues?
Thank you
Claudio
I am using libpcap to build a sniffer.
I define an ethernet header as follows :
/* Ethernet header */
struct sniff_ethernet {
u_char ether_dhost[ETHER_ADDR_LEN]; // Destination host address
u_char ether_shost[ETHER_ADDR_LEN]; // Source host address
u_short ether_type; // IP? ARP? RARP? etc
};
The packets I sniff are then encapsulated in the standard way: the ethernet header precedes the Ip header, then follows the TCP header and then the payload. Up to here, nothing strange, I just got inspired by the sniffer code that is available on the web and that appeared several times in this forum. In my sniffer code I open a sniffing session in the standard libpcap way, everything seems to run smoothly.
I run the sniffer on a redhat 7.3 Linux. I use libnet libraries to generate packets that I sniff, so that I can easily debug what happens.
If I put an ARP packet on the wire, the sniffer will sniff a packet that contains value 1644 in the ethernet type field of the structure sniff_ethernet described above.
If I read ethernet encapsulation specifications, I find out that the value corresponding to a ethernet packet carrying ARP is 0x0806. If I invert the two bytes of this value I obtain 0x0608 which is 1644 in decimal notation. So that is obviously a problem in the byte order. If I sniff ARP packets using ethereal, the ethernet type value is correctly set to 0x0806, so that means that I have a byte order issue. I am not very familiar with this kind of issues, can anyone please explain me what is going on and possibly give me a hint on what is the correct way to handle this kind of issues?
Thank you
Claudio
