Re: packets captured with

[d00fy <d00fy () 163 com>]

thanks for your help. Now I know what the header means.


在2009-11-17，"Guy Harris" <guy () alum mit edu> 写道：
> On Nov 15, 2009, at 11:56 PM, d00fy wrote:
>
> > hi all, recently I captured packets from ethernet with libpcap, I  
> > found out that packets which were caputred with  
> > pcap_open_live("any", ...)seem like strange, there are two bytes new  
> > at mac header
>
> There is no MAC header for packets captured on the "any" device.
>
> There is no guarantee that, if you capture from an arbitrary device,  
> the packet will begin with an Ethernet header.  In order to properly  
> inspect packets captured with libpcap, or read from a savefile with  
> libpcap, you must call pcap_datalink() on the pcap_t, and use the  
> result to determine what type of header the packets begin with.
>
> DLT_EN10MB means an Ethernet header (the "10MB" is historical - that  
> value is used for all versions of Ethernet, from 10MB/s to 10GB/s; the  
> "10MB" distinguishes regualr Ethernet from the old 3MB "experimental"  
> Ethernet, which used a different header).
>
> The header type for the "any" device is DLT_LINUX_SLL.  If  
> pcap_datalink() returns DLT_LINUX_SLL, then the packet begins with a  
> header that contains, in order:
>
>       a 2-byte "packet type", in network byte order, which is one of:
>
>               0    packet was sent to us by somebody else
>
>               1    packet was broadcast by somebody else
>
>               2    packet was multicast, but not broadcast, by somebody else
>
>               3    packet was sent by somebody else to somebody else
>
>               4    packet was sent by us
>
>       a 2-byte field, in network byte order, containing a Linux ARPHRD_  
> value for the link-layer device type;
>
>       a 2-byte field, in network byte order, containing the length of the  
> link-layer address of the sender of the packet (which could be 0);
>
>       an 8-byte field containing that number of bytes of the link-layer  
> address of the sender (if there are more than 8 bytes, only the first  
> 8 are present);
>
>       a 2-byte field containing the Ethernet protocol type for the packet,  
> in network byte order, or containing 1 for Novell 802.3 frames without  
> an 802.2 LLC header or 4 for frames beginning with an 802.2 LLC header.
>
> > for instance:
> > 00 00
>
> Packet type - 0, meaning that the packet was sent to your machine.
>
> > 00 01
>
> Linux ARPHRD_ value - it's network byte order, i.e. big-endian, so  
> that's 1, i.e. ARPHRD_ETHER, so that *particular* frame happened to  
> come from an Ethernet device.
>
> > 00 06
>
> Length of the link-layer address of the sender of the packet - it's  
> network byte order, so that's 6 bytes.
>
> > 00 1e c9 56 f8 a2
>
> Link-layer address of the sender = 00:1e:c9:56:f8:a2
>
> > f1 00
>
> Padding - the address field is 8 bytes long in the header, so a 6-byte  
> address has to be padded to 8 bytes.
>
> > 08 00
>
> Ethernet protocol type for the packet - it's network byte order, so  
> it's 0x0800, i.e. IPv4.
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.