tcpdump mailing list archives
Re: some problem in the source code
From: "Peter Sandford" <P.Sandford () lboro ac uk>
Date: Thu, 9 Dec 2004 16:34:54 -0000
Hi again,
Any will return a header of type DLT_LINUX_SLL.
It's defined here: (From the man page)
-----------------------------------
DLT_LINUX_SLL
Linux "cooked" capture encapsulation; the link layer header
contains, in order:
a 2-byte "packet type", in network byte order, which is one of:
0
packet was sent to us by somebody else
1
packet was broadcast by somebody else
2
packet was multicast, but not broadcast, by somebody
else
3
packet was sent by somebody else to somebody else
4
packet was sent by us
a 2-byte field, in network byte order, containing a Linux
ARPHRD_ value for the link layer device type;
a 2-byte field, in network byte order, containing the length of
the link layer address of the sender of the packet (which could be 0);
an 8-byte field containing that number of bytes of the link
layer header (if there are more than 8 bytes, only the first 8 are
present);
a 2-byte field containing an Ethernet protocol type, in network
byte order, or containing 1 for Novell 802.3 frames without an 802.2 LLC
header or 4 for frames beginning with an 802.2 LLC header.
-----------------------------------
To handle this, if you are only using the any device, then you could
simply create a structure like this one to replace your Ethernet one
(ether_header).
struct dlt_linux_sll
{
u_short packet_type;
u_short ARPHRD;
u_short slink_length;
u_short bytes[4];
u_short ether_type;
};
Cast your packet as this, and then read ether_type as before.
- Pete
-----Original Message-----
From: tcpdump-workers-owner () lists tcpdump org
[mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of aman Reddy
Sent: 09 December 2004 16:16
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] some problem in the source code
Hi Peter,
But one thing I didn`t understand is If I keep "any" as the first
argument to the pcap_open_live() then it will capture packets coming
from the devices like etho or eth1 which are ethernet type.
U mean if I capture packet using eth0 interface then I will get ethernet
link layer header and using "any" I will get different header type. Then
how to dissect this kind of packet.
please help me,
Regards,
Aman.
---------------------------------
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- some problem in the source code aman Reddy (Dec 09)
- Re: some problem in the source code Robert Lowe (Dec 09)
- Re: some problem in the source code Peter Sandford (Dec 09)
- <Possible follow-ups>
- Re: some problem in the source code aman Reddy (Dec 09)
- Re: some problem in the source code Robert Lowe (Dec 09)
- Re: some problem in the source code Guy Harris (Dec 09)
- Re: some problem in the source code aman Reddy (Dec 09)
- Re: some problem in the source code Peter Sandford (Dec 09)
- Re: some problem in the source code aman Reddy (Dec 09)
- Re: some problem in the source code aman Reddy (Dec 09)
- Re: some problem in the source code Peter Sandford (Dec 09)
- Re: some problem in the source code Robert Lowe (Dec 09)