Thanks for helping me find out what's going on... although it's
embarassing... :o(
On Tuesday 23 April 2002 01:03 pm, Guy Harris wrote:
> Sounds as if something's off by 2 bytes.
>
> The Ethernet header size is 14 bytes; does
>
> int size_ethernet = sizeof(struct sniff_ethernet);
Yes, however...
The pcap file I was reading at home wasn't the same as what I was reading at
work. At home I have a DSL connection and I had taken some traffic captures
on my laptop which appended a PPPoE/PPP header. I ended up doing the
following to read the IP addresses correctly:
(the named constants are from netinet/if_ether.h)
..
ethernet = (struct sniff_ethernet*)(packet);
/* check ether type */
printf("\tEther encap: ");
etherEncap = ntohs(ethernet->ether_type);
switch(etherEncap) {
case ETH_P_PPP_SES:
printf("PPPoE (%#x)\n", etherEncap);
/* following your recommendation */
/* well, maybe you'd recommend I do:
ETH_HLEN+PPPOE_LEN */
etherLen = ETH_HLEN+8;
..
I get the above ether/PPPoE header when I sniff "eth0". When I sniff "ppp0",
Ethereal displays "Linux cooked capture" just below the frame statistics.
This leads me to wanting to figure out how to detect and read those frames
correctly. (I'll check tcpdump/Ethereal for hints... :o) )
On another note:
> I would suggest, instead, that you do *NOT* rely on data structures
> having the size, or layout that you'd expect them to have - assume that
> compilers may pad them to put fields on "natural" boundaries or to make
> the structure size a multiple of a "natural" alignment.
Is this why tcpdump does the following? I was looking through the
tcpdump-3.7.1 source, in print-ip.c (line 262-287) , there's the following
section:
..
#ifdef LBL_ALIGN
/*
* If the IP header is not aligned, copy into abuf.
* This will never happen with BPF. It does happen raw packet
* dumps from -r.
*/
if ((long)ip & 3) {
static u_char *abuf = NULL;
static int didwarn = 0;
if (abuf == NULL) {
abuf = (u_char *)malloc(snaplen);
if (abuf == NULL)
error("ip_print: malloc");
}
memcpy((char *)abuf, (char *)ip, min(length, snaplen));
snapend += abuf - (u_char *)ip;
packetp = abuf;
ip = (struct ip *)abuf;
/* We really want libpcap to give us aligned packets */
if (!didwarn) {
warning("compensating for unaligned libpcap packets");
++didwarn;
}
}
#endif
..
It caught my attention and I was wondering why it was there.
Thanks again for all of your help, -Nathan
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
