tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: packets captured with pcap_open_live("any", ...) seem like strange

From: Guy Harris <guy () alum mit edu>
Date: Mon, 16 Nov 2009 12:01:50 -0800

On Nov 15, 2009, at 11:56 PM, d00fy wrote:
hi all, recently I captured packets from ethernet with libpcap, I found out that packets which were caputred with pcap_open_live("any", ...)seem like strange, there are two bytes new at mac header 

There is no MAC header for packets captured on the "any" device.
There is no guarantee that, if you capture from an arbitrary device, the packet will begin with an Ethernet header. In order to properly inspect packets captured with libpcap, or read from a savefile with libpcap, you must call pcap_datalink() on the pcap_t, and use the result to determine what type of header the packets begin with.
DLT_EN10MB means an Ethernet header (the "10MB" is historical - that value is used for all versions of Ethernet, from 10MB/s to 10GB/s; the "10MB" distinguishes regualr Ethernet from the old 3MB "experimental" Ethernet, which used a different header).
The header type for the "any" device is DLT_LINUX_SLL. If pcap_datalink() returns DLT_LINUX_SLL, then the packet begins with a header that contains, in order: 

        a 2-byte "packet type", in network byte order, which is one of:

                0    packet was sent to us by somebody else

                1    packet was broadcast by somebody else

                2    packet was multicast, but not broadcast, by somebody else

                3    packet was sent by somebody else to somebody else

                4    packet was sent by us
a 2-byte field, in network byte order, containing a Linux ARPHRD_ value for the link-layer device type;
a 2-byte field, in network byte order, containing the length of the link-layer address of the sender of the packet (which could be 0);
an 8-byte field containing that number of bytes of the link-layer address of the sender (if there are more than 8 bytes, only the first 8 are present);
a 2-byte field containing the Ethernet protocol type for the packet, in network byte order, or containing 1 for Novell 802.3 frames without an 802.2 LLC header or 4 for frames beginning with an 802.2 LLC header. 


for instance:
00 00


Packet type - 0, meaning that the packet was sent to your machine.


00 01
Linux ARPHRD_ value - it's network byte order, i.e. big-endian, so that's 1, i.e. ARPHRD_ETHER, so that *particular* frame happened to come from an Ethernet device. 


00 06
Length of the link-layer address of the sender of the packet - it's network byte order, so that's 6 bytes. 


00 1e c9 56 f8 a2


Link-layer address of the sender = 00:1e:c9:56:f8:a2


f1 00
Padding - the address field is 8 bytes long in the header, so a 6-byte address has to be padded to 8 bytes. 


08 00
Ethernet protocol type for the packet - it's network byte order, so it's 0x0800, i.e. IPv4. 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: