tcpdump mailing list archives
Re: LIBPCAP: ULOG iptables capturing
From: Guy Harris <guy () alum mit edu>
Date: Fri, 12 Sep 2003 11:21:52 -0700
On Sep 12, 2003, at 4:36 AM, Johan Verrept wrote:
This is the header supplied by the ulog module.
Unfortunately, it uses "long"s and "size_t"s, so it's not exactly fixed-length - the length depends on the length of "long" on the platform on which you're running.
However, the only variable-length fields are "mark", the time stamp fields, and "data_len".
The time stamp fields would go into the per-packet header time stamp, so you don't need to put them in the fake link-layer header.
If "data_len" is the length of data in "payload", it'd go into the per-packet header also, as both the length and captured length. (I assume there's no way to cut the payload short to some "snapshot length", so that you always get the entire packet.)
What is the mark field? If it's useful, you could probably extend it to 64 bits on 32-bit platforms.
The MAC field contains a copy of the ethernet header when the packet is captured on the input hook.
OK, so it's a MAC header, not just a MAC address.
Maybe we can just use the ulog_packet_msg header?
Unfortunately, its size, and the offsets of the fields, depend on the platform doing the logging.
I have a question. Is there some function in libpcap that allows the user to extract a pointer to a protocol type it knows (and needs) regardless of the exact DLT_ type? ie, I want the IP header from DLT_x, which returns a pointer or NIL if this layer isn't present. This would make it easier to handle unknown DLT_ types without code duplication.
Unfortunately, no, but it might be a useful function either in libpcap or some higher-level library. (I'd be inclined to put it in a higher-level library; not all libpcap applications would use it - tcpdump and Ethereal, for example, want to handle unknown DLT_ types by converting them to *known* DLT_ types and parsing the link-layer header.)
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 06)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 08)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 10)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 10)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 11)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 11)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 12)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 12)
- Re: LIBPCAP: ULOG iptables capturing Johan Verrept (Sep 10)
- Re: LIBPCAP: ULOG iptables capturing Guy Harris (Sep 08)