[Winpcap-users] Retrieve packets position

Gianluca Varenni gianluca.varenni at cacetech.com
Fri Feb 8 23:30:10 GMT 2008

  ----- Original Message ----- 
  From: Ziara . 
  To: winpcap 
  Sent: Thursday, January 31, 2008 3:58 AM
  Subject: [Winpcap-users] Retrieve packets position

  I have see several methods for retrieve packets position
  suppose I have these structures:
  // 20 bytes IP Header
  struct ip_header{
   u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits)
   u_char tos; // Type of service
   u_short tlen; // Total length
   u_short identification; // Identification
   u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits)
   u_char ttl; // Time to live
   u_char proto; // Protocol
   u_short crc; // Header checksum
   //ip_address saddr; // Source address
   //ip_address daddr; // Destination address
   in_addr saddr;
   in_addr daddr;
   // u_int op_pad; // Option + Padding -- NOT NEEDED!
  //"Simple" struct for TCP
  struct tcp_header {
   u_short sport; // Source port
   u_short dport; // Destination port
   u_int seqnum; // Sequence Number
   u_int acknum; // Acknowledgement number
   u_char th_off; // Header length
   u_char flags; // packet flags
   u_short win; // Window size
   u_short crc; // Header Checksum
   u_short urgptr; // Urgent pointer
  struct udp_header{
   u_short sport;          // Source port
   u_short dport;          // Destination port
   u_short len;            // Datagram length
   u_short crc;            // Checksum

  struct ip_header *ip; //ip header
  struct tcp_header *tcp; //tcp header
  struct udp_header *udp;
  to calculate ip packet position:
  ip=(struct ip_header *)(pkt_data +14); 
  to calculate udp packet position:
  udp = (struct udp_header *)(sizeof(struct ip_header)+pkt_data+14)
  u_int ip_len = (ip->ver_ihl & 0xf) * 4; 
  udp = (struct udp_header *)((u_char *)ip + ip_len); 
  in this case, ip_len retrieve the packet length of ihl, but I don't understand 
  ((u_char *)ip + ip_len);  
  udp = (struct udp_header*)(pkt_data + 14 + ip_len); 
  Can tell me which one is the correct form, I think is the second but I don't understand it very well... and the second form is the same form for retrieve tcp packets?
  tcp = (struct tcp_header *)((u_char *)ip + ip_len);  

the right one is either the 2nd or the 3rd one.
In the 2nd case you are computing the udp header position by taking the ip header position and adding to it the ip header length. In the third case, you are starting from the beginning of the packet and adding the ethernet header size (14) and the ip header size.

Whatever approach you choose, please remember to check that the ethernet packet is actually an IP packet. Either you use a cpture filter like "ip" or for every packet you check that the ethertype in the ethernet header is 0x0800 (assuming that IP is encapsulated with the ethertype 0x0800 and not through LLC+SNAP). 

Have a nice day


  Todo ruedas: información práctica y todo el glamour del mundo del motor. MSN Estilo y Tendencias 


  Winpcap-users mailing list
  Winpcap-users at winpcap.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080208/863b63eb/attachment.htm

More information about the Winpcap-users mailing list