Re: Protocol headers-only capture?

[Guy Harris <guy () alum mit edu>]

On Dec 17, 2008, at 11:10 AM, Dustin Spicuzza wrote:

> Is there currently a way to save protocol headers (and by this, I mean
> ARP/IP/TCP/UDP/ICMP headers) to a file *without* the remaining  
> payload?

There's no way to do *exactly* that.

You can, however, specify a snapshot length with "-s" that would save  
an amount of packet data that would include the headers and only a  
limited amount of remaining payload (assuming packets don't have a  
large number of IP or TCP options).

> If not, I could be motivated to write a patch to do this (it doesn't
> seem like it would be that hard?) if someone just points me to the  
> right
> area of code where it should go. :)

You'd set "callback" to your packet-writing routine in main(), and  
then have your callback routine:

	look at the link-layer header, if any, and determine whether the  
packet is ARP, IPv4, IPv6, or other;

	for ARP, just write out the headers (whatever qualifies as "header"  
rather than "payload");

	for IPv4, parse the IPv4 header and options and determine whether the  
packet is TCP, UDP, ICMP, or other;

	for IPv6, parse the IPv6 header and extension headers and determine  
whether the packet is TCP, UDP, ICMP, or other;

	for TCP, parse the TCP header and options and write out the data up  
to the end of the options;

        for UDP, write out the data up to the end of the UDP header;

        for ICMP, write out the data up to the end of the ICMP header;

	for other-atop-IP, just write out the data up to the end of the IP  
header;

        for other-atop-the-link-layer, write out whatever would be appropriate.

When you do that, set the "caplen" member of the pcap_pkthdr to the  
total amount of packet data you write out before dumping the packet  
with pcap_dump().
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.