Hello Guy,
Monday, December 8, 2003, 8:33:25 PM, you wrote:
GH> On Dec 8, 2003, at 5:22 AM, kifah Abbad wrote:
>> Hi everyone,
>>
>> When i do tcpdump on encapsulation interface gif0 (used for an ipsec
>> bridge) i
>> get perfect results:
GH> ...
>> But when i use my own sniffer (based on the pcap tutorial sniffer) i
>> get pretty
>> weird results.Although i removed the parts with the ethernet header,
>> and added
>> a filter:
>>
>>
>> /* -- Define our packet's attributes -- */
>> ethernet = (struct sniff_ethernet*)(packet);
>> //In our case we are sniffing on gif interface...ip packets
>> //ip = (struct sniff_ip*)(packet + size_ethernet);
>> ip = (struct sniff_ip*)(packet);
GH> A quick look at the current CVS version of "sys/net/if_gif.c" in
GH> OpenBSD shows
#if NBPFILTER >> 0
GH> � � � �bpfattach(&sc->gif_if.if_bpf, &sc->gif_if, DLT_NULL,
GH> � � � � � � � � � sizeof(u_int));
GH> #endif
GH> The "DLT_NULL" indicates that packets that you get with BPF on an gifN
GH> interface will *NOT* just be raw IP packets; instead, they will begin
GH> with a 4-byte AF_ value, which would presumably be AF_INET (IPv4) or
GH> AF_INET6 (IPv6).
GH> Any application that captures packets should use "pcap_datalink()" to
GH> get the DLT_ value for the packet header, and, based on the value it
GH> returns, interpret the raw packet data. (That's what tcpdump does,
GH> which is why it works in gifN devices.)
Thanks...that was a great help...i will definetly have a closer look
on DLT_NULL value and AF_INET
--
Best regards,
Kifah mailto:[EMAIL PROTECTED]
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]
