tcpdump mailing list archives

Re: pcap_data vs payload

From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Sun, 10 Jul 2011 17:38:56 +0200

On 07/10/2011 05:10 PM, Alokat wrote:

On 07/10/11 00:53, Guy Harris wrote:

On Jul 9, 2011, at 7:50 PM, Alokat wrote:

Just for sure:

*Ethernet packet*

means a layer 2 (OSI / ISO model) packet right?

Yes.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Thanks for the answer,

just one more question.
If I just wanna get the data without the layer 2 stuff can I use
something like this:

payload = (u_char *)(packet + size_ip + size_tcp);

I do only need the data from layers 3 - 7.


No, that is not correct. You need to determine which link layer protocol
is being used (the DLT). If it is an Ethernet network, you can strip the
ethernet header doing:

payload=packet + 14

where 14 is the length of the Ethernet header. If you are not on an
ethernet network, you have to replace that 14 with the appropriate
length of the link headers.

Regards,

Luis.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

pcap_data vs payload Alokat (Jul 09)
- Re: pcap_data vs payload Guy Harris (Jul 09)
  - Re: pcap_data vs payload Alokat (Jul 09)
    - Re: pcap_data vs payload Guy Harris (Jul 09)
    - Re: pcap_data vs payload Alokat (Jul 10)
    - Re: pcap_data vs payload Luis MartinGarcia. (Jul 10)
    - Re: pcap_data vs payload Aaron Turner (Jul 12)