Re: pcap_next_ex: Packet Data

[Sumit <sumit () elitecore com>]

Hello Guy,
	Yes when I applied your suggession about 'ts' and made printing of 'ts' 
properly then everything is as per expected now.

        Only confusion remains is about my pcap_datalink.
...     ...     ...
        char time_format[32];
        ctime_r(&header->ts.tv_sec, time_format);
        LOG_INFORMATION("packet time/length/offwire %s %u %u\n",
                time_format, header->caplen, header->len);
        printf ("Raw Packet contents\n");
        for(pcap_result=0 ; pcap_result < header->len ; pcap_result++) {
                printf("%02x", packet[pcap_result]);
                if((pcap_result%2)) printf(" ");
                if(pcap_result < 15) continue;
                else if((pcap_result+1)%16 == 0) printf("\n");
        }
...     ...     ...
Above gives me proper output value for members of 'pcap_pkthdr'

packet time/length/offwire Tue Apr 25 10:55:58 2006
 62 62
Raw Packet contents
0000 0001 0006 0010 f307 4339 4400 0800
4500 0026 fc34 0000 0211 163a cb58 87d1
cb58 87d6 fc33 9d0c 0012 106f 0102 9eb5
4d44 bac5 0800 0000 0000 0000 0000

I'm now seeking buddies help for DLT_LINUX_SLL.
Thanks again for your support,

Sumit wrote:
> Dear Guy,
>     I'm opening "eth0" only using pcap_open_live. I found that 
> immediately after that open, calling pcap_list_datalinks returns me '1' 
> and dlt_buf contains 'DLT_LINUX_SLL'. If still I forcefully try doing 
> pcap_set_datalink(pcap_t *p, DLT_EN10MB); I get error "... type 
> DLT_EN10MB not supported...".
>
>     Now looking to your second guideline about 'caplen' and 'len'. I'm 
> fine that 'ts' is structure, moreover 'ts' is not my concern, I'm 
> anxious to know about the values contained into caplen and len.
>
> Thanks for responce,
>
> Guy Harris wrote:
>  >
>  > On Apr 24, 2006, at 3:23 AM, Sumit wrote:
>  >
>  >>                 printf("packet time/caplen/len %u %u %u\n", header-
>  >> >ts, header->caplen, header->len);
>  >
>  >
>  > You can't do that.  "header->ts" is a structure, and you can't print  a
>  > structure with "%u".  What that statement actually does is
>  > implementation-dependent, but one thing it's unlikely to do is
>  > correctly print the value of header->caplen or header->len.
>  >
>  > If you want to print the two values from the time stamp, you could do
>  >
>  >     printf("packet time/caplen/len %d/%d %u %u\n", header->ts.tv_sec,
>  > header->ts.tv_usec, header->caplen, header->len);
>
> Guy Harris wrote:
>
> > On Apr 24, 2006, at 3:23 AM, Sumit wrote:
> >
> > > Main difference is extra 2 bytes at the first of pcaket. Also there  
> > > is not having proper destination H/W Addr; i.e. my machine's MAC,  in 
> > > starting bytes of packet. Do I need to set something or call  some 
> > > pcap routines?
> >
> >
> >
> > One thing you need to do, if you want Ethernet headers on your  
> > packets, is capture on a device that's not the "any" device.  You do  
> > *NOT* get Ethernet headers from capturing on the "any" device.  You'd  
> > need to open "eth0" to capture on the eth0 adapter. 
--
 _____     __    __    ____   ____    __    ______
/\  ___\  /\  \ /\  \ /\  \ \/ /\  \ /\  \ /\__   _\
\ \ ____\ \ \  \\_|  \\ \  \_ /\ \  \\ \  \\__ \  \/
 \//\___ \ \ \______ / \ \__\   \ \__\\ \__\  \ \__\
  \/_____/  \/_____ /   \/__/    \/__/ \/__/   \/__/

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.