Re[2]: sniffing and Packet demultiplexing on gif0 on Openbsd

[Kifah Abbad <kifah () prz tu-berlin de>]

Hello Guy,

Monday, December 8, 2003, 8:33:25 PM, you wrote:


GH> On Dec 8, 2003, at 5:22 AM, kifah Abbad wrote:

> > Hi everyone,
> >
> > When i do tcpdump on encapsulation interface gif0 (used for an ipsec
> > bridge) i
> > get perfect results:

GH>     ...

> > But when i use my own sniffer (based on the pcap tutorial sniffer) i
> > get pretty
> > weird results.Although i removed the parts with the ethernet header,
> > and added
> > a filter:
> >
> >
> > /* -- Define our packet's attributes -- */
> >         ethernet = (struct sniff_ethernet*)(packet);
> >         //In our case we are sniffing on gif interface...ip packets
> >         //ip = (struct sniff_ip*)(packet + size_ethernet);
> >         ip = (struct sniff_ip*)(packet);


GH> A quick look at the current CVS version of "sys/net/if_gif.c" in 
GH> OpenBSD shows

        #if NBPFILTER >> 0
GH>            bpfattach(&sc->gif_if.if_bpf, &sc->gif_if, DLT_NULL,
GH>                     sizeof(u_int));
GH>     #endif

GH> The "DLT_NULL" indicates that packets that you get with BPF on an gifN
GH> interface will *NOT* just be raw IP packets; instead, they will begin
GH> with a 4-byte AF_ value, which would presumably be AF_INET (IPv4) or
GH> AF_INET6 (IPv6).

GH> Any application that captures packets should use "pcap_datalink()" to
GH> get the DLT_ value for the packet header, and, based on the value it
GH> returns, interpret the raw packet data.  (That's what tcpdump does,
GH> which is why it works in gifN devices.)


Thanks...that was a great help...i will definetly have a closer look
on DLT_NULL value and AF_INET

-- 
Best regards,
 Kifah                            mailto:kifah () prz tu-berlin de

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe