[Winpcap-users] Some (stupid ?) questions from a newbie

[Xavier Mataillet]

Hi all,

I'm beginning with Winpcap and, though I've already managed to code a few
little programs using it, there are still things that remain obscure. My
apologizes if I beat dead horses or if my questions are stupid but any help
or clarification would be greatly appreciated.

I'm working on a packet sniffer/capturer/sender program that capture packets
sent through my ethernet card. In a classic way, I use the "pcap_loop"
function associated with a home-made "packet_handler" function. To code
correctly my packet_handler function, I have to be sure of the structure of
an ethernet packet.

Here, I'm speaking of the pkt_data parameter of the packet_handler function,
not the pkt_header. If I'm correct, the structure of the ethernet packet
pkt_data points to is as follow :

- Source MAC address (6 bytes).
- Destination MAC address (6 bytes).
- ??? (2 bytes).
- Source IP & Destination IP (variable size ; typically about 20 bytes.)
Then comes the UDP structure :
- Source port (2 bytes).
- Destination port (2 bytes).
- Datagram length (2 bytes).
- Checksum (2 bytes).

1) Is this correct ?
2) What is "???" (not a really important question but I'm curious to know
why the MAC addresses take 14 bytes rather than 12.)
3) Are there other info about the packet after the Checksum ? If not, after
the checksum, begins the "truly raw" packet data, right ?
4) What exactly is the "datagram length" ? It's generally totally different
from the "packet lenght" given by the packet header.

5) How exactly packet_loop and the packet_handler functions operate ? They
capture the packets *before* they are sent to the ethernet card, right (I
mean, the outgoing ones, of course) ? So, if I modify the packet in the
packet_handler function, it's a modified packet that will be sent to the
remote computer ?
6) If the packet is modified one way or another, is it absolutely necessary
to recompute the checksum and how can this be done ?

Many thanks in advance,


Xavier