Re: pcap_data vs payload

[Aaron Turner <synfinatic () gmail com>]

On Sun, Jul 10, 2011 at 8:38 AM, Luis MartinGarcia.
<luis.mgarc () gmail com> wrote:
> On 07/10/2011 05:10 PM, Alokat wrote:
> > On 07/10/11 00:53, Guy Harris wrote:
> > > On Jul 9, 2011, at 7:50 PM, Alokat wrote:
> > >
> > > > Just for sure:
> > > >
> > > > *Ethernet packet*
> > > >
> > > > means a layer 2 (OSI / ISO model) packet right?
> > > Yes.
> > > -
> > > This is the tcpdump-workers list.
> > > Visit https://cod.sandelman.ca/ to unsubscribe.
> > Thanks for the answer,
> >
> > just one more question.
> > If I just wanna get the data without the layer 2 stuff can I use
> > something like this:
> >
> > payload = (u_char *)(packet + size_ip + size_tcp);
> >
> > I do only need the data from layers 3 - 7.
>
> No, that is not correct. You need to determine which link layer protocol
> is being used (the DLT). If it is an Ethernet network, you can strip the
> ethernet header doing:
>
> payload=packet + 14
>
> where 14 is the length of the Ethernet header. If you are not on an
> ethernet network, you have to replace that 14 with the appropriate
> length of the link headers.

Actually, for ethernet you also need to check for vlan tags including Q-in-Q.

-- 
Aaron Turner
http://synfin.net/         Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.