Re: capturing 802.11 frames with udp protocol..

[Guy Harris <guy () alum mit edu>]

On Wednesday, July 16, 2003, at 7:53 AM, M. Onur ERGiN wrote:

> I do the following:
> /***********************************
>   int size_MAC; //size of the mac layer header (802.11
> or ethernet)
>         if(strcmp(dev,"eth1")==0)
>                 size_MAC = sizeof(struct ieee_802_11_header)+2;
>         else size_MAC = sizeof(struct ether_header);

Don't do that.

Instead, determine the link-layer header of packets supplied on an 
interface by asking libpcap what it is, by calling "pcap_datalink()".  
If it's DLT_EN10MB, it's an Ethernet header (yes, even if you're 
sniffing on an 802.11 device; see Alex Medvedev's reply to your 
message); if it's DLT_IEEE802_11, it's an 802.11 header (which, by the 
way, is not always the same length!); if it's something other than 
either of those, it's neither an Ethernet header nor an 802.11 header.
>

> first, I cast the complete packet to a 802.11 header.
> then I cast the rest to an ip header and the rest to a
> udp header.
> but when I try to get the very last one (which is
> supposed  to be the payload) I see nothing on the
> screen using printf("%s...);

If the payload isn't text, printf("%s..."); isn't going to print it 
correctly - especially if the first byte of payload is zero, in which 
case printf("%s..."); isn't going to print *anything*.

If the payload *is* text, it's still not going to work correctly unless 
the captured packet data has a zero byte at the end of the text, which 
it won't necessarily have (it won't have it for HTTP, for example), 
unless you've put it there.

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe