tcpdump mailing list archives
Re: Content of two packets is mixed up in payload on libpcap-FreeBSD
From: Guy Harris <guy () netapp com>
Date: Mon, 7 Apr 2003 13:38:32 -0700
On Mon, Apr 07, 2003 at 06:25:46PM +0530, Patel wrote:
So when i try to print content of packet in got_incoming_packet using following command it is showing me content mixture of two packets. packet = (u_char *) malloc(header->len); memset (packet, 0, header->len); memcpy(packet, packet1, header->len);
"header->len" is the number of bytes in the packet. However, "header->caplen" is the number of bytes of packet data actually supplied by libpcap. If you didn't specify, in the "pcap_open_live()" call, a snapshot length greater than or equal to the length of the largest possible packet on the network, for packets longer than that snapshot length libpcap will only supply the number of bytes specified by the snapshot length. Therefore, your code should do packet = (u_char *) malloc(header->caplen); memset (packet, 0, header->caplen); memcpy(packet, packet1, header->caplen); (it should do so even if you *did* specify a snapshot length greater than or equal to the length of the largest possible packet on the network). The "pcap_open_live()" call in your program was if((handle = pcap_open_live(dev, BUFSIZ, 0, 2000, errbuf))== NULL) { and BUFSIZ is 1024 in <stdio.h> on FreeBSD 4.1, at least, and it's probably the same in later releases. That's *not* greater than or equal to, for example, the largest possible packet on Ethernet. If you want the entire packet, I'd suggest using a snapshot length of 65535.
//Extra code for Pointing to payload part in packet. fwrite(payload,len_payload,1,stderr);
By the way, you are aware that this doesn't "print" the packet data in any human-readable form, it just dumps out the *raw bytes* of the packet data. There is nothing in libpcap to do a human-readable printout. There does exist code to do human-readable printouts of packet data; you can find that code by looking at the source to programs with names like "tcpdump" and "Ethereal". :-) - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Content of two packets is mixed up in payload on libpcap-FreeBSD Patel (Apr 07)
- Re: Content of two packets is mixed up in payload on libpcap-FreeBSD Guy Harris (Apr 07)