[Winpcap-users] Trouble printing pkt_data

Guy Harris guy at alum.mit.edu
Sat Jul 29 20:35:29 GMT 2006

Martin wrote:
> Hi Guy I hope not that it is bothering you I am replying, but I've tried 
> to make a loop through the pkt_data as well and print out each char of 
> it but it is ALWAYS "RT" no matter what!

You might want to think of that, instead, as "it is always hex 52 
followed by hex 54".  "pkt_data" is not a collection of characters, it's 
a collection of bytes, and is not guaranteed to be text.

> I don't want the headers only the data of the packet.

There's no unique definition of "the data of the packet".  As far as 
Ethernet is concerned, the IP header of an IP packet is part of the data 
of the packet, not a header.  As far as IP is concerned, the TCP header 
of a TCP segment, or the UDP header of a UDP datagram, or... is part of 
the data of the packet, not a header.

The first two bytes of an Ethernet packet are the first two bytes of the 
destination MAC address.  At least according to the Wireshark list of OUIs:


MAC addresses beginning with 52:54:00 or 52:54:AB belong to Realtek (I 
guess they asked for addresses in that range so that the first two bytes 
of the MAC address, if interpreted as ASCII - which they are *NOT*, 
they're just binary! - would be "RT"), so the packets might be 
transmitted by a Realtek network adapter.

> Any ideas?

What definition of "the data" do you want?  The stuff past the 
transport-layer header?

More information about the Winpcap-users mailing list