Re: why the ethernet and ip header of packets, which are captured by libpcap function, are distorted

[Wesley Shields <wxs () FreeBSD org>]

On Thu, Mar 21, 2013 at 01:03:56PM -0400, Bill Fenner wrote:
> On Mon, Mar 18, 2013 at 11:08 PM, Wesley Shields <wxs () freebsd org> wrote:
> > On Fri, Mar 15, 2013 at 06:37:25PM -0700, Guy Harris wrote:
> > > On Mar 15, 2013, at 2:45 PM, Michael Richardson <mcr () sandelman ca> wrote:
> > >
> > > > > > > > > "wen" == wen lui <esolvepolito () gmail com> writes:
> > > >    wen> I used libpcap function pcap_next() to capture some tcp packets
> > > >    wen> I checked the bytes of the captured packets and notice that the
> > > >    wen> ethernet and ip header of packets are distorted, in a mess with
> > > >    wen> a lot 0's but the TCP header is fine
> > > >
> > > >    wen> what are potential reasons for this?
> > > >
> > > > if you capture on Linux with the cooked mode interface.
> > >
> > > That probably won't happen if you're capturing on an Ethernet device,
> > > but it *will* happen if you capture on the "any" device.
> > >
> > > However, yes, *NO* program using libpcap/WinPcap should simply
> > > *assume* it's getting Ethernet packets; if it's looking at the
> > > packets, not just blindly writing them to a file without examining the
> > > contents, then, if it doesn't need to handle 802.11 and PPP and so on,
> > > just Ethernet, it should at least call pcap_datalink() and fail if the
> > > return value isn't DLT_EN10MB.  (If it's writing them to a pcap file,
> > > pcap_dump_open() will call pcap_datalink() for you, to put the right
> > > link-layer header type in the file header.)
> > >
> > > (Should we change libpcap so that if pcap_datalink() isn't called at
> > > least once before calling pcap_next(), pcap_next_ex(),
> > > pcap_dispatch(), or pcap_loop(), it prints a message to the standard
> > > error saying "you're probably assuming all the world is Ethernet,
> > > aren't you?" and calls abort(). :-))
> >
> > As I'm not sure if you're serious or not I decided to look into this to
> > satisfy my own curiosity. In case you are serious:
> >
> > https://github.com/wxsBSD/libpcap/commit/70cbe36e2bd12498ca1622349ecb1716a874c376
> >
> > If you are serious and want this I'll submit a pull request.
>
> Since pcap_compile() calls pcap_datalink(), I don't think that this
> will have as much affect as Guy was imagining.

I noticed that. I think I mentioned it in commit.

> (Now introduce an argument to pcap_datalink() that says "I'm calling
> you from pcap_compile()," and ... ;-)

That would be breaking a lot of existing applications.

-- WXS
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers