tcpdump mailing list archives
Format of libpcap packet
From: Jesse Johnson <jesse.alan.johnson () gmail com>
Date: Sat, 28 Mar 2015 20:46:50 -0400
Hi,I am dissecting pcap packets generated by airodump-ng using libpcap and I seem to be offset on the access of the Ethernet fram. I am using the call pcap_next_ex() and working with the returned ethernet packet. I read the first destination and source MACs into a C array and they both seem to be offset by one byte. For example, I get FF:FF:FF:FF:FF:D5 as a destination MAC instead of FF:FF:FF:FF:FF:FF which would be a broadcast address.
Is the Ethernet frame returned by the call pcap_next_ex() and exact replica of the original frame, no extra information inserted?
On a side note, does anyone see any value in porting the project to go? It have started looking at the source to see if there are any "show stoppers" and haven't seen any yet.
My end project is to perform big data analysis on very large samples of network packets collected in open environments to test for correlations or irregularities. To perform the analysis, I would like to get access to the actual byte values of the Ethernet frame and IP headers.
Thank you for your assistance, Jesse Johnson _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Format of libpcap packet Jesse Johnson (Mar 28)
- Re: Format of libpcap packet Guy Harris (Mar 28)
- Re: Format of libpcap packet Jesse Johnson (Mar 28)
- Re: Format of libpcap packet Guy Harris (Mar 29)
- Re: Format of libpcap packet Jesse Johnson (Mar 28)
- Re: Format of libpcap packet Guy Harris (Mar 28)