On Jul 9, 2011, at 7:01 PM, Alokat wrote:
> I'm wondering whats the difference between the pcap_packet and the payload?
What do you mean by "the payload"?
> I have seen that you can extract the payload like this:
>
> payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);
That's the TCP payload.
You can do so if:
1) the packet is an Ethernet packet (i.e., the LINKTYPE_ value in the
file header is LINKTYPE_ETHERNET, meaning that pcap_datalink() returns
DLT_EN10MB);
2) it is also an IP packet (meaning that the Ethernet type in the
Ethernet header is 0x0800 or 0x86dd) and size_ip is the size of the IPv4 or
IPv6 header, including options and extensions headers;
3) it is also a TCP packet (meaning that the protocol field in the IPv4
header or the last "next header" field in the IPv6 header has the value 6) and
size_tcp is the size of the TCP header, including options.
However, there is no universal notion of "headers" and "payload" in networking.
As far as IP is concerned, the TCP header is part of the payload; as far as
Ethernet is concerned, the IP header and the TCP header are part of the
payload. There could be a protocol running on top of TCP that has other
protocols running on top of it (for example, the NetBIOS Session Service
protocol), and, as far as that protocol is concerned, the TCP payload has a
header for the protocol and the protocol's payload.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
