tcpdump mailing list archives
best way for proper icmp-packet decoding (pcap+libnet)
From: "Kifah A." <kifah () prz tu-berlin de>
Date: Sun, 14 Dec 2003 22:52:20 +0100
hi everyone,i am writing some code to decode some icmp packet on a pseudo interface (gif0), and injecting them on fxp1 (with libnet)after altering the payload part. I am pasting some relevant code here, and asking for any hints or tips on improving performance:
u_short libnet_icmp_sum = icmp->icmp_cksum; u_short libnet_icmp_id = (unsigned)ntohs(icmp->icmp_hun.ih_idseq.icd_id); u_short libnet_icmp_seq = (unsigned)ntohs(icmp->icmp_hun.ih_idseq.icd_seq); u_char *libnet_icmp_payload = icmp_payload; u_long libnet_icmp_payload_s = strlen(icmp_payload); u_long libnet_icmp_payload_s_2 = strlen(icmp->icmp_dun.id_data); . . . . case IPPROTO_ICMP: ip_options = ip->ip_hl; ip_options -= 5; ip_options *= 4; //how much do we shift, until the ICMP payload starts icmp = (struct icmp *)(packet + IP_SIZE + ip_options); icmp_payload = (u_char *)(packet+IP_SIZE+ip_options+8); /**********Here we print the different headers for debugging**********/ printf("Different ip fields"); //show IP source printf("\tFrom: %s", inet_ntoa(ip->ip_src)); //show IP destination printf("\tTo: %s\n", inet_ntoa(ip->ip_dst)); //show IP Header Length printf("\tHeader Length:%d", ip->ip_hl ); //show IP Header Version printf("\tVersion:%d", ip->ip_v ); //show IP TOS printf("\tTOS:%d", ip->ip_tos ); //show ip_len printf("\tip_len:%d", ip->ip_len ); //show ip_id printf("\tip_id:%d", ip->ip_id ); //show ip_off printf("\tip_off:%d", ip->ip_off ); //show ip_ttl printf("\tip_ttl:%d", ip->ip_ttl ); //show ip_protocol printf("\tip_protocol:%d", ip->ip_p ); //show ip_checksum printf("\tip_checksum:%d\n", ip->ip_sum ); printf("Different ICMP Fields\n"); //show type printf("\tICMP_Type: %d\n", icmp->icmp_type); //show code printf("\tICMP_Code: %d\n", icmp->icmp_code); //show checksum printf("\tICMP_Checksum: %d\n", libnet_icmp_sum); //ICMP ID printf("\tICMP ID: %u\n", libnet_icmp_id); //ICMP SEQ printf("\tICMP SEQ: %u\n",libnet_icmp_seq); //ICMP Data printf("\tICMP DATA: %s\n", libnet_icmp_payload); printf("\tICMP Payload Length: %d\n", libnet_icmp_payload_s); printf("\tICMP DATA-version2: %s\n", icmp->icmp_dun.id_data); printf("\tICMP Payload Length2: %d\n",libnet_icmp_payload_s_2); ////////////////////////////////I noticed once i start the proggie,i get wrong values for some fields (libnet_icmp_payload,payload length) does it has to do with some wrong buffering or something`?
example: -bash-2.05b# ./plogd Different ip fields From: 10.10.10.11 To: 10.10.10.10Header Length:5 Version:4 TOS:0 ip_len:15360 ip_id:64880 ip_off:0 ip_ttl:32 ip_protocol:1 ip_checksum:39937
Different ICMP Fields ICMP_Type: 8 ICMP_Code: 0 ICMP_Checksum: 15360 ICMP ID: 240 ICMP SEQ: 60 ICMP DATA: D??? ICMP Payload Length: 6 ICMP DATA-version2: abcdefghijklmnopqrstuvwabcdefghi ICMP Payload Length2: 2 Different ip fields From: 10.10.10.11 To: 10.10.10.10Header Length:5 Version:4 TOS:0 ip_len:15360 ip_id:64881 ip_off:0 ip_ttl:32 ip_protocol:1 ip_checksum:39936
Different ICMP Fields ICMP_Type: 8 ICMP_Code: 0 ICMP_Checksum: 54659 ICMP ID: 256 ICMP SEQ: 51334 ICMP DATA: abcdefghijklmnopqrstuvwabcdefghi ICMP Payload Length: 32 ICMP DATA-version2: abcdefghijklmnopqrstuvwabcdefghi ICMP Payload Length2: 32 - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- best way for proper icmp-packet decoding (pcap+libnet) Kifah A. (Dec 14)