Hi, I have a filter that catches both UDP and TCP packets.
How can I determine after pcap_next_ex whether the caught packet was from UDP or TCP connection? Thank you Alex -----Original Message----- From: Flamur Rogova [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 11:36 PM To: winpcap-users@winpcap.polito.it Subject: Re: [WinPcap-users] packet translation woe's hi, > Ethernet(src='\x00\x0e5\x10R@', dst='\x00\x0ff2>\x84', > data=IP(src='\xc0\xa8dd', dst='D\t\x10\x19', sum=8292, len=64, p=17, > ttl=128, id=41242, data=UDP(dport=53, sum=2040, sport=1605, ulen=44, > data='\x16e\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03www\google\x03com > \x00\x00\x01\x00\x01'))) this looks like DNS query packet for host www.google.com (UDP transport, destination port 53) > > note captured via ethernet. So what is the \x format and how do I > convert it to something legible? > > 3www\google\x03com <- 03 is not a hex value for a period what you have here is the name of host in dns compressed format. dns protocol utilizes some form of compression of RRs in order to reduce the size of reply messages. you can read more on dns at rfc1035 Flamur Rogova ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ================================================================== ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================