Tuan Ha Ngoc Minh wrote:

I’m currently using your windump source code to develop a software which will be used to detect instruder base on MAC address.

Note that, unless the intruder is on the same LAN segment, the source MAC address on the packet will be the source address of the network interface on your LAN segment of the machine that routed the packet to that LAN segment, not the MAC address of an interface on the machine that sent the packet (that machine might not even *have* a MAC address on the network interface on which it sent the packet).

I have copied and paste one of your example in the Winpcap documentation which filters only UDP packet. I have changed the filter to “arp” then it now captures only ARP packet. What I need to know is how to extract the source (or destination) MAC address from those packets. Could you give me a hint or recommend me any document to help me with that problem ?

If you're capturing on an Ethernet document, see, for example:


The raw data handed to the callback routine, if you're using "pcap_loop()" or "pcap_dispatch()", or returned, if you're using "pcap_next()" or "pcap_next_ex()", will, if you're copying on an Ethernet network, start with an Ethernet header, and have the data for protocol layers above Ethernet, such as ARP, after the Ethernet header. That link shows you what the Ethernet header looks like.

================================================================= This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/

To unsubscribe use

Reply via email to