tcpdump mailing list archives
Re: pcap_data vs payload
From: Guy Harris <guy () alum mit edu>
Date: Sat, 9 Jul 2011 17:25:25 -0700
On Jul 9, 2011, at 7:01 PM, Alokat wrote:
I'm wondering whats the difference between the pcap_packet and the payload?
What do you mean by "the payload"?
I have seen that you can extract the payload like this: payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);
That's the TCP payload. You can do so if: 1) the packet is an Ethernet packet (i.e., the LINKTYPE_ value in the file header is LINKTYPE_ETHERNET, meaning that pcap_datalink() returns DLT_EN10MB); 2) it is also an IP packet (meaning that the Ethernet type in the Ethernet header is 0x0800 or 0x86dd) and size_ip is the size of the IPv4 or IPv6 header, including options and extensions headers; 3) it is also a TCP packet (meaning that the protocol field in the IPv4 header or the last "next header" field in the IPv6 header has the value 6) and size_tcp is the size of the TCP header, including options. However, there is no universal notion of "headers" and "payload" in networking. As far as IP is concerned, the TCP header is part of the payload; as far as Ethernet is concerned, the IP header and the TCP header are part of the payload. There could be a protocol running on top of TCP that has other protocols running on top of it (for example, the NetBIOS Session Service protocol), and, as far as that protocol is concerned, the TCP payload has a header for the protocol and the protocol's payload.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- pcap_data vs payload Alokat (Jul 09)
- Re: pcap_data vs payload Guy Harris (Jul 09)
- Re: pcap_data vs payload Alokat (Jul 09)
- Re: pcap_data vs payload Guy Harris (Jul 09)
- Re: pcap_data vs payload Alokat (Jul 10)
- Re: pcap_data vs payload Luis MartinGarcia. (Jul 10)
- Re: pcap_data vs payload Aaron Turner (Jul 12)
- Re: pcap_data vs payload Alokat (Jul 09)
- Re: pcap_data vs payload Guy Harris (Jul 09)