<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<STYLE>.hmmessage P {
PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px
}
BODY.hmmessage {
FONT-SIZE: 10pt; FONT-FAMILY: Tahoma
}
</STYLE>
<META content="MSHTML 6.00.6000.16587" name=GENERATOR></HEAD>
<BODY class=hmmessage bgColor=#ffffff>
<DIV><FONT face="Courier New"></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=essence_z@hotmail.com href="mailto:essence_z@hotmail.com">Ziara .</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, January 31, 2008 3:58
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Retrieve packets
position</DIV>
<DIV><BR></DIV>
<DIV>I have see several methods for retrieve packets
position<BR> <BR>suppose I have these structures:<BR> <BR>// 20
bytes IP Header<BR>struct ip_header{<BR> u_char ver_ihl; // Version (4
bits) + Internet header length (4 bits)<BR> u_char tos; // Type of
service<BR> u_short tlen; // Total length<BR> u_short
identification; // Identification<BR> u_short flags_fo; // Flags (3 bits)
+ Fragment offset (13 bits)<BR> u_char ttl; // Time to
live<BR> u_char proto; // Protocol<BR> u_short crc; // Header
checksum<BR> //ip_address saddr; // Source address<BR> //ip_address
daddr; // Destination address<BR> in_addr saddr;<BR> in_addr
daddr;<BR> // u_int op_pad; // Option + Padding -- NOT
NEEDED!<BR>}ip_header;<BR> <BR>//"Simple" struct for TCP<BR>struct
tcp_header {<BR> u_short sport; // Source port<BR> u_short dport; //
Destination port<BR> u_int seqnum; // Sequence Number<BR> u_int
acknum; // Acknowledgement number<BR> u_char th_off; // Header
length<BR> u_char flags; // packet flags<BR> u_short win; // Window
size<BR> u_short crc; // Header Checksum<BR> u_short urgptr; //
Urgent pointer<BR>}tcp_header;<BR> <BR>struct
udp_header{<BR> u_short
sport; // Source
port<BR> u_short
dport; // Destination
port<BR> u_short
len; //
Datagram length<BR> u_short
crc; //
Checksum<BR>}udp_header;<BR><BR>struct ip_header *ip; //ip header<BR>struct
tcp_header *tcp; //tcp header<BR>struct udp_header *udp;<BR> <BR>to
calculate ip packet position:<BR> <BR>ip=(struct ip_header *)(pkt_data
+14); <BR> <BR>to calculate udp packet
position:<BR> <BR>1//<BR> <BR>udp = (struct udp_header
*)(sizeof(struct ip_header)+pkt_data+14)<BR> <BR>2//<BR> <BR>u_int
ip_len = (ip->ver_ihl & 0xf) * 4; <BR>udp = (struct udp_header
*)((u_char *)ip + ip_len); <BR> <BR>in this case, ip_len retrieve the
packet length of ihl, but I don't understand <BR> <BR>((u_char *)ip
+ ip_len); <BR> <BR>3//<BR> <BR>udp = (struct
udp_header*)(pkt_data + 14 + ip_len); <BR> <BR>Can tell me which one
is the correct form, I think is the second but I don't understand it very
well... and the second form is the same form for retrieve tcp
packets?<BR> <BR>tcp = (struct tcp_header *)((u_char *)ip +
ip_len); <BR> <BR>thanks<BR></DIV></BLOCKQUOTE>
<DIV><FONT face="Courier New">the right one is either the 2nd or the 3rd
one.</FONT></DIV>
<DIV><FONT face="Courier New">In the 2nd case you are computing the udp header
position by taking the ip header position and adding to it the ip header length.
In the third case, you are starting from the beginning of the packet and adding
the ethernet header size (14) and the ip header size.</FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">Whatever approach you choose, please remember to
check that the ethernet packet is actually an IP packet. Either you use a cpture
filter like "ip" or for every packet you check that the ethertype in the
ethernet header is 0x0800 (assuming that IP is encapsulated with the ethertype
0x0800 and not through LLC+SNAP). </FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">Have a nice day</FONT></DIV>
<DIV><FONT face="Courier New">GV</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><FONT face="Courier New"></FONT> </DIV><FONT
face="Courier New"></FONT></BLOCKQUOTE>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><FONT face="Courier New"></FONT><BR><BR></DIV>
<DIV>
<HR>
</DIV>
<DIV>Todo ruedas: información práctica y todo el glamour del mundo del motor.
<A href="http://estilo.es.msn.com/" target=_new>MSN Estilo y Tendencias</A>
</DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>