tcpdump mailing list archives

sniffing and Packet demultiplexing on gif0 on Openbsd

From: "kifah Abbad" <kifah () prz tu-berlin de>
Date: Mon, 08 Dec 2003 14:22:54 +0100

Hi everyone,

When i do tcpdump on encapsulation interface gif0 (used for an ipsec bridge) i
get perfect results:

-bash-2.05b# tcpdump -i gif0 
tcpdump: WARNING: gif0: no IPv4 address assigned
tcpdump: listening on gif0
-bash-2.05b# tcpdump -e -i gif0 
tcpdump: WARNING: gif0: no IPv4 address assigned
tcpdump: listening on gif0
14:15:29.976933 0:50:da:51:7d:15 0:60:97:52:5c:d0 ip 66: 10.10.10.10 >
10.10.10.11: icmp: echo request
14:15:29.982502 ip: 10.10.10.11 > 10.10.10.10: icmp: echo reply

I am interested in the part where the packets are encapsulated in IPv4 (echo
reply line).

But when i use my own sniffer (based on the pcap tutorial sniffer) i get pretty
weird results.Although i removed the parts with the ethernet header, and added
a filter:


/* -- Define our packet's attributes -- */
        ethernet = (struct sniff_ethernet*)(packet);
        //In our case we are sniffing on gif interface...ip packets
        //ip = (struct sniff_ip*)(packet + size_ethernet);
        ip = (struct sniff_ip*)(packet);
        //tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);
        tcp = (struct sniff_tcp*)(packet + size_ip);
        //payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);
        payload = (u_char *)(packet + size_ip + size_tcp);

        printf("Packet number %d has just been sniffed\n", count);
        //printf("\tFrom:    %s:%d\n", inet_ntoa(ip->ip_src), ntohs(tcp->th_sport));
        printf("\tFrom:    %s", inet_ntoa(ip->ip_src));
        //printf("\tTo:      %s:%d\n", inet_ntoa(ip->ip_dst), ntohs(tcp->th_dport));
        printf("\tTo:      %s", inet_ntoa(ip->ip_dst));
        printf("\tPayload: %s\n", payload);



(Got original code from here:
http://www.tcpdump.org/lists/workers/2002/05/msg00174.html)



My Question:
The packets on gif0 seem not be "precisley" IPv4 packets (or are they) so did
any1 try to parse or do packet demultiplexing on gif0 interface? i would be
interested in the way hi(she) did it.

Thanks
-- 
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

sniffing and Packet demultiplexing on gif0 on Openbsd kifah Abbad (Dec 08)
- Re: sniffing and Packet demultiplexing on gif0 on Openbsd Guy Harris (Dec 08)
  - Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd Kifah Abbad (Dec 08)
    - Re: Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd kifah Abbad (Dec 10)
    - Re: Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd Guy Harris (Dec 10)