Hi everyone,

I've recently started playing around with pcap, and I've got a few questions about the way in which one actually disassembles the packets. I've constructed the following callback function for use with the pcap_loop() function just to play with:

Code:
void packet_view(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char* packet){
	const struct eth_arp *ethernet; /* The ethernet header */
	const struct ip *ip_hdr;              /* The IP header */
	const struct tcphdr *tcp;            /* The TCP header */
	const char *payload;                 /* Packet payload */
	static unsigned int count=0;

	u_int size_ip;
	u_int size_tcp;

	ethernet = (eth_arp*)packet;

	ip_hdr = (ip*)(packet+SIZE_ETHERNET);
	size_ip = (ip_hdr->ip_hl) << 2;			//multiply by four, fancily

	tcp = (tcphdr*)(packet+SIZE_ETHERNET+size_ip);
	size_tcp = (tcp->th_off) << 2;                        //multiply by four again

        printf("[Packet %d] IP_SIZE: %d\tTCP_SIZE:%d\tDst Port: %x\tSrc Port: %x\n",count++,size_ip,size_tcp,tcp->th_dport,tcp->th_sport);


}
As you can see, I've used the ethernet, ip, and tcp header structs from the header files in netinet and sort of fit the packet into them. I followed the example from libpcap's website here: http://www.tcpdump.org/pcap.htm.

Now, this code will show a source and destination port that look almost completely arbitrary. Even if I set a filter like "port 80" with pcap_compile() and pcap_setfilter(), the result from the callback function is not port 80. Can anyone see a reason for this? I'm new to pcap and networking in general, so if there's a really obvious mistake, feel free to make fun of me.