tcpdump mailing list archives
sniffing and Packet demultiplexing on gif0 on Openbsd
From: "kifah Abbad" <kifah () prz tu-berlin de>
Date: Mon, 08 Dec 2003 14:22:54 +0100
Hi everyone,
When i do tcpdump on encapsulation interface gif0 (used for an ipsec bridge) i
get perfect results:
-bash-2.05b# tcpdump -i gif0
tcpdump: WARNING: gif0: no IPv4 address assigned
tcpdump: listening on gif0
-bash-2.05b# tcpdump -e -i gif0
tcpdump: WARNING: gif0: no IPv4 address assigned
tcpdump: listening on gif0
14:15:29.976933 0:50:da:51:7d:15 0:60:97:52:5c:d0 ip 66: 10.10.10.10 >
10.10.10.11: icmp: echo request
14:15:29.982502 ip: 10.10.10.11 > 10.10.10.10: icmp: echo reply
I am interested in the part where the packets are encapsulated in IPv4 (echo
reply line).
But when i use my own sniffer (based on the pcap tutorial sniffer) i get pretty
weird results.Although i removed the parts with the ethernet header, and added
a filter:
/* -- Define our packet's attributes -- */
ethernet = (struct sniff_ethernet*)(packet);
//In our case we are sniffing on gif interface...ip packets
//ip = (struct sniff_ip*)(packet + size_ethernet);
ip = (struct sniff_ip*)(packet);
//tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);
tcp = (struct sniff_tcp*)(packet + size_ip);
//payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);
payload = (u_char *)(packet + size_ip + size_tcp);
printf("Packet number %d has just been sniffed\n", count);
//printf("\tFrom: %s:%d\n", inet_ntoa(ip->ip_src), ntohs(tcp->th_sport));
printf("\tFrom: %s", inet_ntoa(ip->ip_src));
//printf("\tTo: %s:%d\n", inet_ntoa(ip->ip_dst), ntohs(tcp->th_dport));
printf("\tTo: %s", inet_ntoa(ip->ip_dst));
printf("\tPayload: %s\n", payload);
(Got original code from here:
http://www.tcpdump.org/lists/workers/2002/05/msg00174.html)
My Question:
The packets on gif0 seem not be "precisley" IPv4 packets (or are they) so did
any1 try to parse or do packet demultiplexing on gif0 interface? i would be
interested in the way hi(she) did it.
Thanks
--
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- sniffing and Packet demultiplexing on gif0 on Openbsd kifah Abbad (Dec 08)
- Re: sniffing and Packet demultiplexing on gif0 on Openbsd Guy Harris (Dec 08)
- Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd Kifah Abbad (Dec 08)
- Re: Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd kifah Abbad (Dec 10)
- Re: Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd Guy Harris (Dec 10)
- Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd Kifah Abbad (Dec 08)
- Re: sniffing and Packet demultiplexing on gif0 on Openbsd Guy Harris (Dec 08)