On 07/10/2011 05:10 PM, Alokat wrote: > On 07/10/11 00:53, Guy Harris wrote: >> On Jul 9, 2011, at 7:50 PM, Alokat wrote: >> >>> Just for sure: >>> >>> *Ethernet packet* >>> >>> means a layer 2 (OSI / ISO model) packet right? >> Yes. >> - >> This is the tcpdump-workers list. >> Visit https://cod.sandelman.ca/ to unsubscribe. > Thanks for the answer, > > just one more question. > If I just wanna get the data without the layer 2 stuff can I use > something like this: > > payload = (u_char *)(packet + size_ip + size_tcp); > > I do only need the data from layers 3 - 7.
No, that is not correct. You need to determine which link layer protocol is being used (the DLT). If it is an Ethernet network, you can strip the ethernet header doing: payload=packet + 14 where 14 is the length of the Ethernet header. If you are not on an ethernet network, you have to replace that 14 with the appropriate length of the link headers. Regards, Luis. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
