On 07/10/11 00:25, Guy Harris wrote: > On Jul 9, 2011, at 7:01 PM, Alokat wrote: > >> I'm wondering whats the difference between the pcap_packet and the payload? > What do you mean by "the payload"? > >> I have seen that you can extract the payload like this: >> >> payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp); > That's the TCP payload. > > You can do so if: > > 1) the packet is an Ethernet packet (i.e., the LINKTYPE_ value in the > file header is LINKTYPE_ETHERNET, meaning that pcap_datalink() returns > DLT_EN10MB); > > 2) it is also an IP packet (meaning that the Ethernet type in the > Ethernet header is 0x0800 or 0x86dd) and size_ip is the size of the IPv4 or > IPv6 header, including options and extensions headers; > > 3) it is also a TCP packet (meaning that the protocol field in the IPv4 > header or the last "next header" field in the IPv6 header has the value 6) > and size_tcp is the size of the TCP header, including options. > > However, there is no universal notion of "headers" and "payload" in > networking. As far as IP is concerned, the TCP header is part of the > payload; as far as Ethernet is concerned, the IP header and the TCP header > are part of the payload. There could be a protocol running on top of TCP > that has other protocols running on top of it (for example, the NetBIOS > Session Service protocol), and, as far as that protocol is concerned, the TCP > payload has a header for the protocol and the protocol's payload.- > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe.
Thanks for the answer. Just for sure: *Ethernet packet* means a layer 2 (OSI / ISO model) packet right? Regards, alokat - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
