On Dec 8, 2003, at 5:22 AM, kifah Abbad wrote:
Hi everyone,
When i do tcpdump on encapsulation interface gif0 (used for an ipsec bridge) i
get perfect results:
...
But when i use my own sniffer (based on the pcap tutorial sniffer) i get pretty
weird results.Although i removed the parts with the ethernet header, and added
a filter:
/* -- Define our packet's attributes -- */ ethernet = (struct sniff_ethernet*)(packet); //In our case we are sniffing on gif interface...ip packets //ip = (struct sniff_ip*)(packet + size_ethernet); ip = (struct sniff_ip*)(packet);
A quick look at the current CVS version of "sys/net/if_gif.c" in OpenBSD shows
#if NBPFILTER > 0
� � � �bpfattach(&sc->gif_if.if_bpf, &sc->gif_if, DLT_NULL,
� � � � � � � � � sizeof(u_int));
#endifThe "DLT_NULL" indicates that packets that you get with BPF on an gifN interface will *NOT* just be raw IP packets; instead, they will begin with a 4-byte AF_ value, which would presumably be AF_INET (IPv4) or AF_INET6 (IPv6).
Any application that captures packets should use "pcap_datalink()" to get the DLT_ value for the packet header, and, based on the value it returns, interpret the raw packet data. (That's what tcpdump does, which is why it works in gifN devices.)
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
