tcpdump mailing list archives
Re: pcap_next_ex: Packet Data
From: Sumit <sumit () elitecore com>
Date: Tue, 25 Apr 2006 11:07:33 +0530
Oh Guy,I got everything proper, It was definately my part of poor looping :O. It was not breaking loop and finally device name was skipped to default lasting "any" :-(
Thanks for yout time, P.S.I submitted libpcap-0.9.4-1.i386.rpm but no-one care about it. Can you tell me if maintainer interested on that part? I got a auto reply about size of mail. Please send me some personal address to send it to.
Sumit wrote:
Hello Guy,Yes when I applied your suggession about 'ts' and made printing of 'ts' properly then everything is as per expected now.Only confusion remains is about my pcap_datalink. ... ... ... char time_format[32]; ctime_r(&header->ts.tv_sec, time_format); LOG_INFORMATION("packet time/length/offwire %s %u %u\n", time_format, header->caplen, header->len); printf ("Raw Packet contents\n"); for(pcap_result=0 ; pcap_result < header->len ; pcap_result++) { printf("%02x", packet[pcap_result]); if((pcap_result%2)) printf(" "); if(pcap_result < 15) continue; else if((pcap_result+1)%16 == 0) printf("\n"); } ... ... ... Above gives me proper output value for members of 'pcap_pkthdr' packet time/length/offwire Tue Apr 25 10:55:58 2006 62 62 Raw Packet contents 0000 0001 0006 0010 f307 4339 4400 0800 4500 0026 fc34 0000 0211 163a cb58 87d1 cb58 87d6 fc33 9d0c 0012 106f 0102 9eb5 4d44 bac5 0800 0000 0000 0000 0000 I'm now seeking buddies help for DLT_LINUX_SLL. Thanks again for your support, Sumit wrote:Dear Guy,I'm opening "eth0" only using pcap_open_live. I found that immediately after that open, calling pcap_list_datalinks returns me '1' and dlt_buf contains 'DLT_LINUX_SLL'. If still I forcefully try doing pcap_set_datalink(pcap_t *p, DLT_EN10MB); I get error "... type DLT_EN10MB not supported...".Now looking to your second guideline about 'caplen' and 'len'. I'm fine that 'ts' is structure, moreover 'ts' is not my concern, I'm anxious to know about the values contained into caplen and len.Thanks for responce, Guy Harris wrote: > > On Apr 24, 2006, at 3:23 AM, Sumit wrote: > >> printf("packet time/caplen/len %u %u %u\n", header- >> >ts, header->caplen, header->len); > >> You can't do that. "header->ts" is a structure, and you can't print a> structure with "%u". What that statement actually does is > implementation-dependent, but one thing it's unlikely to do is > correctly print the value of header->caplen or header->len. > > If you want to print the two values from the time stamp, you could do > > printf("packet time/caplen/len %d/%d %u %u\n", header->ts.tv_sec, > header->ts.tv_usec, header->caplen, header->len); Guy Harris wrote:On Apr 24, 2006, at 3:23 AM, Sumit wrote:Main difference is extra 2 bytes at the first of pcaket. Also there is not having proper destination H/W Addr; i.e. my machine's MAC, in starting bytes of packet. Do I need to set something or call some pcap routines?One thing you need to do, if you want Ethernet headers on your packets, is capture on a device that's not the "any" device. You do *NOT* get Ethernet headers from capturing on the "any" device. You'd need to open "eth0" to capture on the eth0 adapter.-- _____ __ __ ____ ____ __ ______ /\ ___\ /\ \ /\ \ /\ \ \/ /\ \ /\ \ /\__ _\ \ \ ____\ \ \ \\_| \\ \ \_ /\ \ \\ \ \\__ \ \/ \//\___ \ \ \______ / \ \__\ \ \__\\ \__\ \ \__\ \/_____/ \/_____ / \/__/ \/__/ \/__/ \/__/
-- _____ __ __ ____ ____ __ ______ /\ ___\ /\ \ /\ \ /\ \ \/ /\ \ /\ \ /\__ _\ \ \ ____\ \ \ \\_| \\ \ \_ /\ \ \\ \ \\__ \ \/ \//\___ \ \ \______ / \ \__\ \ \__\\ \__\ \ \__\ \/_____/ \/_____ / \/__/ \/__/ \/__/ \/__/ - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- How to use "pcap" on a router kashif javed (Apr 01)