>
> GH> Any application that captures packets should use "pcap_datalink()" to
> GH> get the DLT_ value for the packet header, and, based on the value it
> GH> returns, interpret the raw packet data. (That's what tcpdump does,
> GH> which is why it works in gifN devices.)
>
>
> Thanks...that was a great help...i will definetly have a closer look
> on DLT_NULL value and AF_INET
i added following code to mine:
switch(pcap_datalink(descr))
{
case DLT_EN10MB:
case DLT_IEEE802:
link_offset = 14;
break;
case DLT_SLIP:
link_offset = 16;
break;
case DLT_PPP:
case DLT_NULL:
link_offset = 4;
break;
case DLT_RAW:
link_offset = 0;
break;
default:
fprintf(stderr,"unsupported interface type\n");
exit(-1);
}
and then i added this to decode the ip header (adresses):
ip = (struct sniff_ip *)(packet + link_offset);
printf("\tFrom: %s", inet_ntoa(ip->ip_src));
printf("\tTo: %s\n", inet_ntoa(ip->ip_dst));
printf("\tTo: %d\n", ip->ip_len);
And it went fine...thanks for the hint.
no i tried to decode the MAC adresses (source and destination), and thought it
would be coming right after the ip header (etherip)...but no luck.
I tried that by changing the "link_offset"value...to link_offset+20 (20 bytes
IP header)...or in steps for more...until 30...but the values for MAC src and
dst where not true:
so what shift should i do to "catch" the exct adress of mac src and dst? and
the rest of packet...any1 already has experience with parsing etherip
packets?(i still assume the packets on gif0 are etherip)
--
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]
