revelation1114
May 20th, 2009, 07:47 PM
Hi everyone,
I've recently started playing around with pcap, and I've got a few questions about the way in which one actually disassembles the packets. I've constructed the following callback function for use with the pcap_loop() function just to play with:
void packet_view(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char* packet){
const struct eth_arp *ethernet; /* The ethernet header */
const struct ip *ip_hdr; /* The IP header */
const struct tcphdr *tcp; /* The TCP header */
const char *payload; /* Packet payload */
static unsigned int count=0;
u_int size_ip;
u_int size_tcp;
ethernet = (eth_arp*)packet;
ip_hdr = (ip*)(packet+SIZE_ETHERNET);
size_ip = (ip_hdr->ip_hl) << 2; //multiply by four, fancily
tcp = (tcphdr*)(packet+SIZE_ETHERNET+size_ip);
size_tcp = (tcp->th_off) << 2; //multiply by four again
printf("[Packet %d] IP_SIZE: %d\tTCP_SIZE:%d\tDst Port: %x\tSrc Port: %x\n",count++,size_ip,size_tcp,tcp->th_dport,tcp->th_sport);
}
As you can see, I've used the ethernet, ip, and tcp header structs from the header files in netinet and sort of fit the packet into them. I followed the example from libpcap's website here: http://www.tcpdump.org/pcap.htm.
Now, this code will show a source and destination port that look almost completely arbitrary. Even if I set a filter like "port 80" with pcap_compile() and pcap_setfilter(), the result from the callback function is not port 80. Can anyone see a reason for this? I'm new to pcap and networking in general, so if there's a really obvious mistake, feel free to make fun of me.
I've recently started playing around with pcap, and I've got a few questions about the way in which one actually disassembles the packets. I've constructed the following callback function for use with the pcap_loop() function just to play with:
void packet_view(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char* packet){
const struct eth_arp *ethernet; /* The ethernet header */
const struct ip *ip_hdr; /* The IP header */
const struct tcphdr *tcp; /* The TCP header */
const char *payload; /* Packet payload */
static unsigned int count=0;
u_int size_ip;
u_int size_tcp;
ethernet = (eth_arp*)packet;
ip_hdr = (ip*)(packet+SIZE_ETHERNET);
size_ip = (ip_hdr->ip_hl) << 2; //multiply by four, fancily
tcp = (tcphdr*)(packet+SIZE_ETHERNET+size_ip);
size_tcp = (tcp->th_off) << 2; //multiply by four again
printf("[Packet %d] IP_SIZE: %d\tTCP_SIZE:%d\tDst Port: %x\tSrc Port: %x\n",count++,size_ip,size_tcp,tcp->th_dport,tcp->th_sport);
}
As you can see, I've used the ethernet, ip, and tcp header structs from the header files in netinet and sort of fit the packet into them. I followed the example from libpcap's website here: http://www.tcpdump.org/pcap.htm.
Now, this code will show a source and destination port that look almost completely arbitrary. Even if I set a filter like "port 80" with pcap_compile() and pcap_setfilter(), the result from the callback function is not port 80. Can anyone see a reason for this? I'm new to pcap and networking in general, so if there's a really obvious mistake, feel free to make fun of me.