On Thu, Apr 25, 2002 at 02:55:29PM -0400, Nathan Jennings wrote: > ethernet = (struct sniff_ethernet*)(packet); > /* check ether type */
Yes, if you're going to be looking past the Ethernet header, you have to look at the Ethernet type. Take a look at "print-ether.c" in the tcpdump source to see the way tcpdump handles the Ethernet header. > I get the above ether/PPPoE header when I sniff "eth0". When I sniff "ppp0", > Ethereal displays "Linux cooked capture" just below the frame statistics. Yes, on Linux, libpcap punts on trying to figure out what the hell the link-layer headers look like (on some PPP devices, there's no PPP header, there's just an IP header; on others, there's a PPP header, which may or may not include the HDLC 0xff 0x03 header; on others, there may be various random amounts of random junk in front of the PPP header), so it just captures in "cooked mode", which means the link-layer header isn't supplied. Instead, libpcap synthesizes a link-layer header from stuff provided by the socket code. > This leads me to wanting to figure out how to detect and read those frames > correctly. (I'll check tcpdump/Ethereal for hints... :o) ) See "sll.h" and "print-sll.c" in the tcpdump source for information on that synthesized header. > > I would suggest, instead, that you do *NOT* rely on data structures > > having the size, or layout that you'd expect them to have - assume that > > compilers may pad them to put fields on "natural" boundaries or to make > > the structure size a multiple of a "natural" alignment. > > Is this why tcpdump does the following? Yes. That's *also* why, as noted, it uses ETHER_HDRLEN, as defined in "ether.h", rather than "sizeof (struct ether_header)" - the latter won't give 14 on at least some versions of GCC for ARM, for example, as those versions of GCC apparently pad some, if not all, structures to a multiple of 4 bytes. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
