[Winpcap-users] Retrieve all headers from packets.
Gianluca Varenni
gianluca.varenni at cacetech.com
Tue Apr 22 00:48:55 GMT 2008
----- Original Message -----
From: "Pawel Rycerski" <rycus at poczta.fm>
To: <winpcap-users at winpcap.org>
Sent: Friday, April 18, 2008 1:38 PM
Subject: [Winpcap-users] Retrieve all headers from packets.
> [Win Xp, WinPcap 4.0.0.1040.]
>
>>From reading wpcap defaults progs from docs and posix lib%u2019s I%u2019ve
>>got crazy nowadays.
> To make it easy and do not mislead you, I will put it briefly.
>
> I am very confused right now. Please help me out.
> 1. Why the structures from wpcap and posix lib are so different?
Which structures, exactly? I don't think i understood your question.
> 2. Where I can find structures for decode/interpret all known headers over
> Ethernet?
> ( @ docs/html/group__wpcap__tut6 ( Interpreting the packets ) there are 2
> structures that deconstruct the packet to be parsed and interpreted, but
> only to ip and udp ) do I have to write them on my own ?
You can use the definition of the headers from the BSD or linux OS sources,
or create your own based on the definition of the protocols (for example
from protocols.com or from a protocol analyzer like wireshark).
>
> 3. Having struts for ethernet, ip, tcp, udp will be enough to present all
> the data from all headers?
It depends on what you are looking for. Also, remember that having structs
for those protocols is *not* enough. Protocols like ip and tcp do not have a
fixed header size. There is usually a fixed part (e.g. 20 bytes for IP) and
0 or more options. You need to properly decode the fixed part of the header
to know how long the full header is.
These two zip files contain two presentations I gave at sharkfest, together
with some sample code.
http://www.cacetech.com/SHARKFEST.08/BoF_Varenni_%20WinPcap%20Do's%20and%20Don'ts.zip
http://www.cacetech.com/SHARKFEST.08/D04_Varenni_Writing%20your%20own%20Packet%20Capture%20Tool%20with%20WinPcap%20and%20AirPcap.zip
Have a nice day
GV
>
> Best regards .
>
> ----------------------------------------------------------------------
> Szalony rowerzysta ucieka policji!
> http://link.interia.pl/f1d9d
>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list