Re: pcap_next_ex: Packet Data

[Sumit <sumit () elitecore com>]

Dear All,
	Sorry to give you unnecessary reading, I got the clue for my question 
regarding unmatched ethernet header. pcap_datalink() returns 
DLT_LINUX_SLL which consumes 8 bytes against tcpdump reported 6 bytes.
        I still need your guidance for "struct pcap_pkthdr" understanding.

Thanks,

Sumit wrote:
> Dear All,
>     Greetings!!!
>
>     I used libpcap-0.9.4 to write a simple capture program. This program 
> calls pcap_next_ex and return with success. While I print data in hex it 
> is bit different then the same data printed by tcpdump
>
> # tcpdump -vv -e proto UDP and host 203.88.135.214 -XX -n
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 
> bytes
> 15:24:24.732208 00:10:f3:07:43:39 > 00:80:c8:04:dc:1f, ethertype IPv4 
> (0x0800), length 60: IP (tos 0x0, ttl   2, id 57826, offset 0, flags 
> [none], proto 17, length: 38) 203.88.135.209.57825 > 
> 203.88.135.214.40204: [udp sum ok] UDP, length 10
>         0x0000:  0080 c804 dc1f 0010 f307 4339 0800 4500
>         0x0010:  0026 e1e2 0000 0211 308c cb58 87d1 cb58
>         0x0020:  87d6 e1e1 9d0c 0012 7c59 0102 11a3 4c44
>         0x0030:  f53f 0a00 0000 0000 0000 0000
>
> # ./pcap_capture
> pcap_next_ex returned 1
> packet ts/caplen/len 1145872464 732208 62
> Raw Packet contents
> 0000 0001 0006 0010 f307 4339 c0a8 0800
> 4500 0026 e1e2 0000 0211 308c cb58 87d1
> cb58 87d6 e1e1 9d0c 0012 7c59 0102 11a3
> 4c44 f53f 0a00 0000 0000 0000 0000
>
>
> Main difference is extra 2 bytes at the first of pcaket. Also there is 
> not having proper destination H/W Addr; i.e. my machine's MAC, in 
> starting bytes of packet. Do I need to set something or call some pcap 
> routines?
>
> Above output is generaetd from following piece of code
> ...    ...    ...
>         pcap_result = pcap_next_ex(AdapterObject, &header, (const u_char 
> **)&packet);
>         printf("pcap_next_ex returned %d\n", pcap_result);
>         switch (pcap_result) {
>         case 1:
>                 /* A packet was received, nothing to do! */
>                 printf("packet time/caplen/len %u %u %u\n", header->ts, 
> header->caplen, header->len);
>                 printf("Raw Packet contents\n");
>                 for(pcap_result=0 ; pcap_result<header->len ; 
> pcap_result++) {
>                         printf("%02x", packet[pcap_result]);
>                         if((pcap_result%2)) printf(" ");
>                         if(pcap_result < 15) continue;
>                         else if((pcap_result+1)%16 == 0) printf("\n");
>                 }
> ...    ...    ...
>
> I need your guidance in understanding structure
> struct pcap_pkthdr {
>         struct timeval ts;      /* time stamp */
>         bpf_u_int32 caplen;     /* length of portion present */
>         bpf_u_int32 len;        /* length this packet (off wire) */
> };
> Does pcap_next_ex fills all member? As I can see a huge caplen value 
> after my pcap_next_ex returns.
--
 _____     __    __    ____   ____    __    ______
/\  ___\  /\  \ /\  \ /\  \ \/ /\  \ /\  \ /\__   _\
\ \ ____\ \ \  \\_|  \\ \  \_ /\ \  \\ \  \\__ \  \/
 \//\___ \ \ \______ / \ \__\   \ \__\\ \__\  \ \__\
  \/_____/  \/_____ /   \/__/    \/__/ \/__/   \/__/

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.