Re: [tcpdump-workers] weird protocols

Wed, 05 Jun 2002 16:14:41 -0700 

On Wed, Jun 05, 2002 at 10:01:13PM +0800, Iain McAleer wrote:
> I wrote a sniffer making use of pcap's packet capturing, I appear to be
> getting the right device number for it, however i'm not getting the right ip
> protocol number, i'm using the structures in netinet/ip.h for the ip
> protocol, this is alright, appart from the fact i get wierd protocol number
> for it, i appear to be getting 56320 for tcp packets, wich, from what i
> understand should infact either be 6 or 0, 6 being the tcp number, and 0
> being the tcp dummy number, as defined in netinet/in.h and /etc/protocols.

Well, you may not be using that structure correctly.

The packet data returned by libpcap typically contains a link-layer
header at the beginning; the type of link-layer header depends on the
value returned by "pcap_datalink()" - for example, if it's DLT_EN10MB,
it's an Ethernet header.

You'd probably need to look at the link-layer header to determine what
follows that header; for example, on Ethernet, you'd have to look at the
type/length field, and:

        if the type/length field is <= 1500, it's a length field, and
        the link-layer header is probably followed by an IEEE 802.2 LLC
        header;

        if the type/length field is > 1500, it's a type field - a value
        of 0x0800 means "IPv4".

Note that the type/length is big-endian, so don't just treat it as if it
were a number in memory - use "ntohs()" to convert it to host byte
order, or fetch it a byte at a time and assemble it yourself.

For an 0x0800 Ethernet packet, an IP header would follow the link-layer
header.  Note that there is no guarantee that the IP header is aligned
on a 4-byte boundary, so you should either copy it if it's not aligned
(as tcpdump does) or fetch items from it by picking up individual bytes
and reassembling them (as Ethereal does).

I would strongly suggest looking at the tcpdump code for parsing
link-layer, 802.2 LLC, and IP headers.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to