----------------------------------------------------------------------------
-------
I am creating a program to capture packets that makes use of pcap.
In my callback method passed to pcap_loop() function I am using the
following code:
----------------------------------------------------------------------------
-------
int offset = 26; /* 14 bytes for MAC header + 12 byte offset
* into IP header for IP addresses*/
u_int ipsize, tcpsize, udpsize, icmpsize, paysize;
u_char *ptr;
struct ether_header *eptr; /* ~/net/ethernet.h */
struct arphdr *arp_pkt; /* arp struct */
struct iph *ip_pkt; /* ip struct */
struct tcph *tcp_pkt; /* tcp struct */
struct udph *udp_pkt; /* udp struct */
struct icmph *icmp_pkt; /* icmp struct */
struct igmph *igmp_pkt; /* igmp struct */
const char *payload; /* The packet payload */
/* define Ethernet Header */
eptr = (struct ether_header *)packet;
/* ARP header */
arp_pkt = (struct arphdr *)(packet + ETHER_HDR_LEN);
/* calculate IP packet header offset */
ip_pkt = (struct iph *)(packet + ETHER_HDR_LEN);
/* set the length of the ip header */
ipsize = IP_HL(ip_pkt) * 4;
/* calculate tcp packet offset */
tcp_pkt = (struct tcph *)(packet + ETHER_HDR_LEN + ipsize);
/* set the length of the tcp header */
tcpsize = sizeof(tcp_pkt);
/* calculate udp packet offset */
udp_pkt = (struct udph *)(packet + ETHER_HDR_LEN + ipsize);
/* set the length of the udp header */
udpsize = udp_pkt->uh_len;
/* calculate the payload offset */
payload = (u_char *)(packet + ETHER_HDR_LEN + ipsize + tcpsize);
/* and set the payload size */
paysize = ntohs(ip_pkt->ip_len) - (ipsize + tcpsize);
/* ICMP packet header */
icmp_pkt = (struct icmph *)(packet + ETHER_HDR_LEN + (IP_HL(ip_pkt) *
4));
----------------------------------------------------------------------------
-------------------
then later I call each function to print depending on the protocol in a
switch statement like:
----------------------------------------------------------------------------
-------------------
if (ntohs (eptr->ether_type) == ETHERTYPE_IP) {
/*Is the packet and IP packet? */
(void)printf("Ethernet Type:\t\t hex:0x%x dec:%d Protocol: ",
ntohs(eptr->ether_type),
ntohs(eptr->ether_type));
switch(ip_pkt->ip_p) {
case IPPROTO_TCP:
/* if the protocol type is TCP */
(void)printf("TCP (%i)\n", ip_pkt->ip_p);
if (!qflag) {
print_ip(ip_pkt); /* still ip (ip/tcp) */
print_tcp(tcp_pkt); /*call function to print
tcp packet info*/
}
break;
case IPPROTO_UDP:
/* if the protocol type is UDP */
(void)printf("UDP (%i)\n", ip_pkt->ip_p);
if(!qflag) {
print_ip(ip_pkt); /* still ip (ip/udp) */
print_udp(udp_pkt); /* function to print udp
*/
}
break;
..... .
.....
.....
}
----------------------------------------------------------------------------
--------------------
Do you think the above way of defining the headers is right..? I also don't
really
understand how exactly this works here. I can see that something is wrong
but really I cannot
understand what it is. However the output from my program for TCP, UDP, IP,
ICMP and ARP packets
looks correct in contrast with that of other apps like Tcpdump or Ethereal.
It would be really kind if anyone could help me understand how exactly this
part works?
I also tried to add support for the IGMP protocol but I didn't manage to
make it work properly
Since obviously using something like:
igmp_pkt = (struct igmph *)(packet + ETHERNET_HDR_LEN + ipsize);
I can provide more information or refine my query if it is required
Thank you in advance
Spiros Papadopoulos
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
