[Winpcap-users] Some (stupid ?) questions from a newbie
david.barnish at spanlink.com
Thu Sep 8 14:42:35 GMT 2005
The packets that you get can contain many different protocols.
The ethernet packet encapsulates other protocols, which in turn can encapsulate other protocols. You will need to go through the encapsulation header to determine what type of packet or data is encapsulated.
As an example, your logic below assumes that you get an Ethernet packet that encapsulates an IP packet (frame?) which in turn encapsulates a UDP datagram which contains data. If you get a TCP datagram rather than a UDP datagram, your logic will break because the layout of bits and bytes in a TCP datagram are different than UDP.
In short, you need to write code to look at each encapsulation, and based on the type of packet it encapsulates, use different code to continue drilling down through the packet to get to the data. But this all depends on what your program is supposed to do. If you are looking only for certain types of packets, you can set a filter so you will only get those types of packets, then you only need to drill down enough to get to the data you are interested in. So if you only want UDP packets, then you only need to determine that it is Ethernet, containing IP, containing a UDP packet. If the IP packet contains a TCP packet, you can skip it and process the next packet. I hope this makes sense.
A good site for getting detailed information on the layout of information in different packet protocols, go to http://www.protocols.com/. This should answer all your questions about what you will expect to see for the different protocols you will see in your packets.
Senior Software Engineer R&D
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org]On Behalf Of Xavier Mataillet
Sent: Thursday, September 08, 2005 4:18 AM
To: winpcap-users at winpcap.org
Subject: [Winpcap-users] Some (stupid ?) questions from a newbie
I'm beginning with Winpcap and, though I've already managed to code a few
little programs using it, there are still things that remain obscure. My
apologizes if I beat dead horses or if my questions are stupid but any help
or clarification would be greatly appreciated.
I'm working on a packet sniffer/capturer/sender program that capture packets
sent through my ethernet card. In a classic way, I use the "pcap_loop"
function associated with a home-made "packet_handler" function. To code
correctly my packet_handler function, I have to be sure of the structure of
an ethernet packet.
Here, I'm speaking of the pkt_data parameter of the packet_handler function,
not the pkt_header. If I'm correct, the structure of the ethernet packet
pkt_data points to is as follow :
- Source MAC address (6 bytes).
- Destination MAC address (6 bytes).
- ??? (2 bytes).
- Source IP & Destination IP (variable size ; typically about 20 bytes.)
Then comes the UDP structure :
- Source port (2 bytes).
- Destination port (2 bytes).
- Datagram length (2 bytes).
- Checksum (2 bytes).
1) Is this correct ?
2) What is "???" (not a really important question but I'm curious to know
why the MAC addresses take 14 bytes rather than 12.)
3) Are there other info about the packet after the Checksum ? If not, after
the checksum, begins the "truly raw" packet data, right ?
4) What exactly is the "datagram length" ? It's generally totally different
from the "packet lenght" given by the packet header.
5) How exactly packet_loop and the packet_handler functions operate ? They
capture the packets *before* they are sent to the ethernet card, right (I
mean, the outgoing ones, of course) ? So, if I modify the packet in the
packet_handler function, it's a modified packet that will be sent to the
remote computer ?
6) If the packet is modified one way or another, is it absolutely necessary
to recompute the checksum and how can this be done ?
Many thanks in advance,
Winpcap-users mailing list
Winpcap-users at winpcap.org
More information about the Winpcap-users