Ramsurrun Visham wrote:
I read that the headers are contiguous, i.e. ethernet first, then IP, and then ICMP. They are 14, 20 and 8 bytes respectively. I also believe that the header size doesn't change.
Not true of the IP header size - the IPv4 header has a *minimum* length of 20 bytes, but if there are IP options, it could be longer than 20 bytes. The first byte of the IP header is the version/length byte; it includes a length, in units of 4-byte words (so that a value of 0x45 means "version 5, 5 4-byte words long").
If options are not set or are not present, the space is padded just like for the data part of the packet. So if the above is true, I must be able to get to the start of the ICMP header by just doing something like:
icmp = (struct my_icmp*)(packet + sizeof(struct ether_header) + sizeof(struct my_ip));
If options aren't present, that should work (assuming that the packet is an ICMP packet). If they *are* present, it won't work.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
