Re: pcap_data vs payload

[Alokat <mailing () alokat org>]

On 07/10/11 00:25, Guy Harris wrote:
> On Jul 9, 2011, at 7:01 PM, Alokat wrote:
>
> > I'm wondering whats the difference between the pcap_packet and the payload?
> What do you mean by "the payload"?
>
> > I have seen that you can extract the payload like this:
> >
> > payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);
> That's the TCP payload.
>
> You can do so if:
>
>       1) the packet is an Ethernet packet (i.e., the LINKTYPE_ value in the file header is LINKTYPE_ETHERNET, meaning 
> that pcap_datalink() returns DLT_EN10MB);
>
>       2) it is also an IP packet (meaning that the Ethernet type in the Ethernet header is 0x0800 or 0x86dd) and 
> size_ip is the size of the IPv4 or IPv6 header, including options and extensions headers;
>
>       3) it is also a TCP packet (meaning that the protocol field in the IPv4 header or the last "next header" field 
> in the IPv6 header has the value 6) and size_tcp is the size of the TCP header, including options.
>
> However, there is no universal notion of "headers" and "payload" in networking.  As far as IP is concerned, the TCP 
> header is part of the payload; as far as Ethernet is concerned, the IP header and the TCP header are part of the 
> payload.  There could be a protocol running on top of TCP that has other protocols running on top of it (for example, 
> the NetBIOS Session Service protocol), and, as far as that protocol is concerned, the TCP payload has a header for 
> the protocol and the protocol's payload.-
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.

Thanks for the answer.

Just for sure:

*Ethernet packet*

means a layer 2 (OSI / ISO model) packet right?

Regards,
alokat
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.