Re: sending raw packet using pcap

["Chris sun" <lei_sun () comcast net>]

Thanks, I tried  sending a 64 bytes packet and added data after offset 60,
now i received the correct data at offset 60 of the input buffer.
Does this imply that I have to pad the data by 48 bytes after ethernet
header? and only after that , I can put my payload in ?
But take a look at the pcap tutorial http://www.tcpdump.org/pcap.htm

ethernet = (struct sniff_ethernet*)(packet);
ip = (struct sniff_ip*)(packet + size_ethernet);
tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);
payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);

The IP stays right after the ethernet header, there is no padding between
them.
How to explain this ?

Thank you!
chris sun
----- Original Message ----- 
From: "Ryan Mooney" <ryan () pcslink com>
To: "Chris sun" <lei_sun () comcast net>
Sent: Monday, November 10, 2003 6:44 PM
Subject: Re: [tcpdump-workers] sending raw packet using pcap


> Chris,
>
> On ethernet (10/100) your minimum packet size is 64B (this and the speed
> electrons propagate through copper, ~70% light if memory serves, determine
> the maximum distance of a the network broadcast domain).  Since there is a
> 4B CRC at the end (stripped/added by the card) you should always see at
least
> 60 bytes off of the wire past the network card (actually some cards allow
you
> to pass up the CRC & packets that fail the CRC, but they are getting
rarer).
> If you examine the packets they SHOULD contain appropriate data for as far
out
> as you padded it, past that I don't know what will be inserted, but it
will
> almost certainly be non meaningful from the context of your application.
>
> The one possibility for data corruption is if your on different platforms
> (IA64/Sparc/Mips/PowerPC vs x86) since they may have different endianness.
>
>
> > Hi :
> >   I was using pcap (libpcap-2003.10.21) to develop a set of protocol.
The first thing came up is to make pcap writable, I followed Gary R.
Wright's guide at http://www.kohala.com/start/writepcap.txt.
> > The only thing I did is modified pcap_bpf.c file and change the call to
ope() from O_RDONLY to O_RDWR. than call write(pd->fd, .....) to write data
into pcap.
> > I am running my test in RH linux 7.2, Interesting thing happened. If I
write packet which size smaller than 60 bytes, the receving program will
always capture packet sized 60 bytes.  anything greater than 60 bytes will
showed up as actually buffer size I've written.  The frame I built is just
ethernet header followed by  some other test data.
> > In both cases. I got the correct ethernet header, but the following data
is missing and replaced by some strange data. I don't know where it come
from.
> > Anybody knows how could this happen? Does pcap automatically append ip
or tcp header ? or whatever data ?
> > Thank you!
> > chris.
>
> -- 
> > -=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-<
> Ryan Mooney          ryan () pcslink com
> <-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=->

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe