On Tue, Apr 23, 2002 at 12:45:05PM -0400, Nathan Jennings wrote: > 1) I'm having a problem reading the correct source and dest. IP addresses. > Below is an example: > > If the IP addresses are: > Src: 1.2.3.4 > Dst: 5.6.7.8 > > My code prints: > Src: 3.4.5.6 > Dst: 7.8.20.21
Sounds as if something's off by 2 bytes. The Ethernet header size is 14 bytes; the code in > I used the example code from "sniffer.c" as a starting point: > http://www.tcpdump.org/pcap.htm does int size_ethernet = sizeof(struct sniff_ethernet); Perhaps the compiler has, for some reason, decided to pad "struct sniff_ethernet" to 14 bytes. I would suggest doing int size_ethernet = 14; or, even better, doing #define SIZE_ETHERNET 14 and using "SIZE_ETHERNET" instead of "size_ethernet". > 2) Why does the sniff_ip struct above have the two #endif's together like > below?: Because the sample code is buggy. You might want to send Tim Carstens e-mail about that. > 3) When writing libpcap programs, are there any flags I should pass to gcc > for structure alignment/packing purposes? I want to write them in a portable > way. If you want to write the code in a portable way, you cannot rely on flags passed to gcc! "Portable" doesn't mean "portable to every platform using GCC", it means "portable". I would suggest, instead, that you do *NOT* rely on data structures having the size, or layout that you'd expect them to have - assume that compilers may pad them to put fields on "natural" boundaries or to make the structure size a multiple of a "natural" alignment. See, for example, the tcpdump source. "ether.h" defines ETHER_HDRLEN as 14, and "print-ether.c" uses ETHER_HDRLEN, rather than "sizeof (struct ether_header)", as the size of an Ethernet header. Similarly, the structures in "print-isoclns.c" tend to use "u_char XXX[4]", rather than some integral data type, for 4-byte quantities, as the packet layouts might not align fields on natural boundaries. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
