> On Sun, Feb 27, 2005 at 10:37:34PM +0400, Ramsurrun Visham wrote:
> | Hi to all,
> |
> | I would like to know how do we grab the icmp header from an ethernet frame.
> I believe we have to jump pass the ethernet and IP headers..
>
> no - we actually need to parse through the IP header to find out if the header
> is variable length [IP options etc.]
>
> have a look at the point where the icmp printer is called in print-ip.c
>
> ---
>
> case IPPROTO_ICMP:
> /* pass on the MF bit plus the offset to detect fragments */
> icmp_print(cp, len, (const u_char *)ip, (off & 0x3fff));
> break;
>
> ---
>
> | u_char * handle_IP(u_char *args, const struct pcap_pkthdr* pkthdr, const
> u_char* packet)
> |
> | {
> | const struct my_ip* p;
> | u_int length = pkthdr->len;
> |
> | ip = (struct my_ip*)(packet + sizeof(struct ether_header));
> | length -= sizeof(struct ether_header);
> | }
Many thx for the reply..
I read that the headers are contiguous, i.e. ethernet first, then IP, and then
ICMP. They are 14, 20 and 8 bytes respectively. I also believe that the header
size doesn't change. If options are not set or are not present, the space is
padded just like for the data part of the packet. So if the above is true, I
must be able to get to the start of the ICMP header by just doing something
like:
icmp = (struct my_icmp*)(packet + sizeof(struct ether_header) + sizeof(struct
my_ip));
Regards,
Visham
This mail has been scanned for viruses by the UoM Antivirus Gateway.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
