[Winpcap-users] Retrieve all headers from packets.

Pawel Rycerski rycus at poczta.fm
Thu Apr 24 00:33:07 GMT 2008

>> 1. Why the structures from wpcap and posix lib are so different?

>Which structures, exactly? I don't think i understood your question.

Ok. so about those structures from posix, here they are:
// IP header
struct sniff_ip {
	u_int ip_hl:4,					// header length
	ip_v:4;							// version
	u_int ip_v:4,					// version
	ip_hl:4;						// header length
	#endif							// not _IP_VHL
	u_char ip_tos;					// type of service
	u_short ip_len;					// total length
	u_short ip_id;					// identification
	u_short ip_off;					// fragment offset field
	#define IP_RF 0x8000			// reserved fragment flag
	#define IP_DF 0x4000			// dont fragment flag
	#define IP_MF 0x2000			// more fragments flag
	#define IP_OFFMASK 0x1fff		// mask for fragmenting bits
	u_char ip_ttl;					// time to live
	u_char ip_p;					// protocol
	u_short ip_sum;					// checksum
	struct in_addr ip_src,ip_dst;	// source and dest address
// TCP header
struct sniff_tcp {
	u_short th_sport;				// source port
	u_short th_dport;				// destination port
	tcp_seq th_seq;					// sequence number
	tcp_seq th_ack;					// acknowledgement number
		u_int th_x2:4,				// (unused)
		th_off:4;					// data offset
		u_int th_off:4,				// data offset
		th_x2:4;					// (unused) 
	u_char th_flags;
	#define TH_FIN 0x01
	#define TH_SYN 0x02
	#define TH_RST 0x04
	#define TH_PUSH 0x08
	#define TH_ACK 0x10
	#define TH_URG 0x20
	#define TH_ECE 0x40
	#define TH_CWR 0x80
	u_short th_win;					// window
	u_short th_sum;					// checksum 
	u_short th_urp;					// urgent pointer
>> Question: 2. Where I can find structures for decode/interpret all known
>> headers over Ethernet?
>> ( @ docs/html/group__wpcap__tut6 ( Interpreting the packets ) there are
>> two  structures that deconstruct the packet to be parsed and interpreted,
>> but only to ip and udp ) do I have to write them on my own ?

>Reply: You can use the definition of the headers from the BSD or linux OS
>or create your own based on the definition of the protocols (for example 
>from protocols.com or from a protocol analyzer like wireshark).

Conclusion: Thanks for protocols.com maybe silly but somehow I have missed
it (because of wikipedia <shamed>), very useful site.
I was working on those protocols recognising and I had a question: how
should I do it?:
(Don%u2019t be shocked example below contain tree solutions)

#define ICMP_w ICMP

u_char* identyfy_protocol(u_char *proto;){
u_char proto;
proto =(u_char*) malloc(sizeof(u_char)*10); //10 max char in prot name

	switch(proto) {
		case 1:
			proto =(u_char*) malloc(sizeof(u_char)*4); //4 number of characters
			return "ICMP";
			return icmp_w;
		case 2:
		case 3:
		case 4:
The solution should be looking like this:

		case 0x01: printf("ICMP"); break;
		case 0x06: printf("TCP"); break;
		case 0x11: printf("UDP"); break;
		default: printf("unknown (%u)", pIpHeader->Protocol);

>> Reply:It depends on what you are looking for. Also, remember that
>> having structs 
>> for those protocols is *not* enough. Protocols like ip and tcp do not have
>> a 
>> fixed header size. There is usually a fixed part (e.g. 20 bytes for IP)
>> and 
>> 0 or more options. You need to properly decode the fixed part of the
>> header 
>> to know how long the full header is.%u201D

Conclusion: Yes, thanks one more time you have exactly hit my doubts <ok>

Question: In default program from winpcap.org in function
PrintPackets(LPPACKET lpPacket); structure LPPACKET and
PacketRecivePacket()  function is used to print all the content of the
packet. I have found that PacketRecivePacket() is used becouse it will take
all the packet form adapter buffer that has been captured from last
function readout. But this LPPACKET structure is higly unconfortuable, it
is imposible for me to impinge on structures as for example:

typedef struct ethernet_header {
	u_char ether_dhost[ETHER_ADDR_LEN];
	u_char ether_shost[ETHER_ADDR_LEN]; 
	u_short ether_type;                

But there is such thing like: 
packet_handler(u_char *,const struct pcap_pkthdr *,const u_char *);
which as is sad at docs is a callback function invoked by libpcap for
every incoming packet, but it isn%u2019t. It is called continuously by 1
second read timeout! Even if there are no incoming packets at the moment.
(Im talking about this: group__wpcap__tut6 )

But the solution from the zip files that You have posted are really
stunning %uF04A Much more easy to learn and use then those from
Most of my questions are solved in WinPcapTool_Threading.

Poprowadz swoj klub do zwyciestwa!
Sprawdz >>> http://link.interia.pl/f1d76

More information about the Winpcap-users mailing list