Re: Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd

["kifah Abbad" <kifah () prz tu-berlin de>]

> GH> Any application that captures packets should use "pcap_datalink()" to
> GH> get the DLT_ value for the packet header, and, based on the value it
> GH> returns, interpret the raw packet data.  (That's what tcpdump does,
> GH> which is why it works in gifN devices.)
>
>
> Thanks...that was a great help...i will definetly have a closer look
> on DLT_NULL value and AF_INET

i added following code to mine:

switch(pcap_datalink(descr))
        {
        case DLT_EN10MB:
        case DLT_IEEE802:
        link_offset = 14;
        break;
        case DLT_SLIP:
        link_offset = 16;
        break;
        case DLT_PPP:
        case DLT_NULL:
        link_offset = 4;
        break;
        case DLT_RAW:
        link_offset = 0;
        break;
        default:
        fprintf(stderr,"unsupported interface type\n");
        exit(-1);
        }


and then i added this to decode the ip header (adresses):

ip = (struct sniff_ip *)(packet + link_offset);

printf("\tFrom:    %s", inet_ntoa(ip->ip_src));
        printf("\tTo:      %s\n", inet_ntoa(ip->ip_dst));
        printf("\tTo:      %d\n", ip->ip_len);


And it went fine...thanks for the hint.

no i tried to decode the MAC adresses (source and destination), and thought it
would be coming right after the ip header (etherip)...but no luck.
I tried that by changing the "link_offset"value...to link_offset+20 (20 bytes
IP header)...or in steps for more...until 30...but the values for MAC src and
dst where not true:

so what shift should i do to "catch" the exct adress of mac src and dst? and
the rest of packet...any1 already has experience with parsing etherip
packets?(i still assume the packets on gif0 are etherip)

-- 
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe