tcpdump mailing list archives
sniffing and Packet demultiplexing on gif0 on Openbsd
From: "kifah Abbad" <kifah () prz tu-berlin de>
Date: Mon, 08 Dec 2003 14:22:54 +0100
Hi everyone, When i do tcpdump on encapsulation interface gif0 (used for an ipsec bridge) i get perfect results: -bash-2.05b# tcpdump -i gif0 tcpdump: WARNING: gif0: no IPv4 address assigned tcpdump: listening on gif0 -bash-2.05b# tcpdump -e -i gif0 tcpdump: WARNING: gif0: no IPv4 address assigned tcpdump: listening on gif0 14:15:29.976933 0:50:da:51:7d:15 0:60:97:52:5c:d0 ip 66: 10.10.10.10 > 10.10.10.11: icmp: echo request 14:15:29.982502 ip: 10.10.10.11 > 10.10.10.10: icmp: echo reply I am interested in the part where the packets are encapsulated in IPv4 (echo reply line). But when i use my own sniffer (based on the pcap tutorial sniffer) i get pretty weird results.Although i removed the parts with the ethernet header, and added a filter: /* -- Define our packet's attributes -- */ ethernet = (struct sniff_ethernet*)(packet); //In our case we are sniffing on gif interface...ip packets //ip = (struct sniff_ip*)(packet + size_ethernet); ip = (struct sniff_ip*)(packet); //tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip); tcp = (struct sniff_tcp*)(packet + size_ip); //payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp); payload = (u_char *)(packet + size_ip + size_tcp); printf("Packet number %d has just been sniffed\n", count); //printf("\tFrom: %s:%d\n", inet_ntoa(ip->ip_src), ntohs(tcp->th_sport)); printf("\tFrom: %s", inet_ntoa(ip->ip_src)); //printf("\tTo: %s:%d\n", inet_ntoa(ip->ip_dst), ntohs(tcp->th_dport)); printf("\tTo: %s", inet_ntoa(ip->ip_dst)); printf("\tPayload: %s\n", payload); (Got original code from here: http://www.tcpdump.org/lists/workers/2002/05/msg00174.html) My Question: The packets on gif0 seem not be "precisley" IPv4 packets (or are they) so did any1 try to parse or do packet demultiplexing on gif0 interface? i would be interested in the way hi(she) did it. Thanks -- - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- sniffing and Packet demultiplexing on gif0 on Openbsd kifah Abbad (Dec 08)
- Re: sniffing and Packet demultiplexing on gif0 on Openbsd Guy Harris (Dec 08)
- Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd Kifah Abbad (Dec 08)
- Re: Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd kifah Abbad (Dec 10)
- Re: Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd Guy Harris (Dec 10)
- Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd Kifah Abbad (Dec 08)
- Re: sniffing and Packet demultiplexing on gif0 on Openbsd Guy Harris (Dec 08)