[Winpcap-users] Retrieve packets position

Ziara . essence_z at hotmail.com
Thu Jan 31 11:58:08 GMT 2008

I have see several methods for retrieve packets position suppose I have these structures: // 20 bytes IP Headerstruct ip_header{ u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits) u_char tos; // Type of service u_short tlen; // Total length u_short identification; // Identification u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits) u_char ttl; // Time to live u_char proto; // Protocol u_short crc; // Header checksum //ip_address saddr; // Source address //ip_address daddr; // Destination address in_addr saddr; in_addr daddr; // u_int op_pad; // Option + Padding -- NOT NEEDED!}ip_header; //"Simple" struct for TCPstruct tcp_header { u_short sport; // Source port u_short dport; // Destination port u_int seqnum; // Sequence Number u_int acknum; // Acknowledgement number u_char th_off; // Header length u_char flags; // packet flags u_short win; // Window size u_short crc; // Header Checksum u_short urgptr; // Urgent pointer
}tcp_header; struct udp_header{ u_short sport;          // Source port u_short dport;          // Destination port u_short len;            // Datagram length u_short crc;            // Checksum}udp_header;struct ip_header *ip; //ip headerstruct tcp_header *tcp; //tcp headerstruct udp_header *udp; to calculate ip packet position: ip=(struct ip_header *)(pkt_data +14);  to calculate udp packet position: 1// udp = (struct udp_header *)(sizeof(struct ip_header)+pkt_data+14) 2// u_int ip_len = (ip->ver_ihl & 0xf) * 4; udp = (struct udp_header *)((u_char *)ip + ip_len);  in this case, ip_len retrieve the packet length of ihl, but I don't understand  ((u_char *)ip + ip_len);   3// udp = (struct udp_header*)(pkt_data + 14 + ip_len);  Can tell me which one is the correct form, I think is the second but I don't understand it very well... and the second form is the same form for retrieve tcp packets?
tcp = (struct tcp_header *)((u_char *)ip + ip_len);  
MSN Video. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080131/11a68b3f/attachment.htm

More information about the Winpcap-users mailing list