tcpdump mailing list archives

Re: Content of two packets is mixed up in payload on libpcap-FreeBSD

From: Guy Harris <guy () netapp com>
Date: Mon, 7 Apr 2003 13:38:32 -0700

On Mon, Apr 07, 2003 at 06:25:46PM +0530, Patel wrote:

So when i try to print content of packet in got_incoming_packet using
following command it is showing me content mixture of two packets. 

   packet = (u_char *) malloc(header->len);
   memset (packet, 0, header->len);
   memcpy(packet, packet1, header->len);


"header->len" is the number of bytes in the packet.

However, "header->caplen" is the number of bytes of packet data actually
supplied by libpcap.  If you didn't specify, in the "pcap_open_live()"
call, a snapshot length greater than or equal to the length of the
largest possible packet on the network, for packets longer than that
snapshot length libpcap will only supply the number of bytes specified
by the snapshot length.

Therefore, your code should do

   packet = (u_char *) malloc(header->caplen);
   memset (packet, 0, header->caplen);
   memcpy(packet, packet1, header->caplen);

(it should do so even if you *did* specify a snapshot length greater
than or equal to the length of the largest possible packet on the
network).

The "pcap_open_live()" call in your program was

   if((handle = pcap_open_live(dev, BUFSIZ, 0, 2000, errbuf))== NULL) {

and BUFSIZ is 1024 in <stdio.h> on FreeBSD 4.1, at least, and it's
probably the same in later releases.  That's *not* greater than or equal
to, for example, the largest possible packet on Ethernet.

If you want the entire packet, I'd suggest using a snapshot length of
65535.

   //Extra code for Pointing to payload part in packet.

   fwrite(payload,len_payload,1,stderr);


By the way, you are aware that this doesn't "print" the packet data in
any human-readable form, it just dumps out the *raw bytes* of the packet
data.

There is nothing in libpcap to do a human-readable printout.  There does
exist code to do human-readable printouts of packet data; you can find
that code by looking at the source to programs with names like "tcpdump"
and "Ethereal". :-)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Content of two packets is mixed up in payload on libpcap-FreeBSD Patel (Apr 07)
- Re: Content of two packets is mixed up in payload on libpcap-FreeBSD Guy Harris (Apr 07)