tcpdump mailing list archives
Re: live capture Ethernet gives me zero-packets
From: Guy Harris <guy () alum mit edu>
Date: Mon, 4 Apr 2011 00:24:38 -0700
On Apr 3, 2011, at 11:38 PM, Andrej van der Zee wrote:
I am trying to get started with a live capture using libpcap. Somehow I cannot get the contents of a packet. It seems that all bytes are zeroed. Here is the source code:
...
void callback(u_char * user, const struct pcap_pkthdr* pkthdr, const u_char
* pkt)
{
fprintf(stdout, "caplen=%d, pkt[12]=%d, pkt[13]=%d\n", pkthdr->caplen,
pkt[12], pkt[13]);
}
That's not checking all bytes, that's just checking the bytes at an offset of 12 and 13.
int main(int argc,char **argv)
{
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t * pd;
if(NULL == (pd = pcap_open_live("any", BUFSIZ, 1, 0, errbuf)))
The "any" device has a link-layer header type of LINKTYPE_LINUX_SLL/DLT_LINUX_SLL (it exists only on Linux); the
description of the link-layer header for that header type, as described by
http://www.tcpdump.org/linktypes.html
is "Linux "cooked" capture encapsulation", and that description text links to
http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
which says the header is:
+---------------------------+
| Packet type |
| (2 Octets) |
+---------------------------+
| ARPHRD_ type |
| (2 Octets) |
+---------------------------+
| Link-layer address length |
| (2 Octets) |
+---------------------------+
| Link-layer address |
| (8 Octets) |
+---------------------------+
| Protocol type |
| (2 Octets) |
+---------------------------+
followed by the payload, so the bytes at offsets of 12 and 13 from the beginning of the packet are the octets at
offsets of 6 and 7 from the beginning of the link-layer address. For PPP, the link-layer address is probably
zero-length, and for most LANs, the link-layer address is 6 octets long, so, if the rest of the link-layer address
field is zeroed out, the octets in question will be 0.
(No, the "any" device doesn't give you Ethernet packets, even if, at the time you start the capture, the only
interfaces on your machine are Ethernet interfaces. If you want to capture on a particular Ethernet device, use its
name, e.g. "eth0", in which case you'll presumably get packets that have Ethernet headers - although you should
probably check the value returned by pcap_datalink() whenever you do any pcap_open call, including pcap_open_offline()
to read from a savefile, or when you do pcap_create()/.../pcap_activate().)-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- live capture Ethernet gives me zero-packets Andrej van der Zee (Apr 03)
- Re: live capture Ethernet gives me zero-packets Guy Harris (Apr 04)
- Re: live capture Ethernet gives me zero-packets Andrej van der Zee (Apr 04)
- Re: live capture Ethernet gives me zero-packets Michael Richardson (Apr 28)
- Re: live capture Ethernet gives me zero-packets Guy Harris (Apr 27)
- Re: live capture Ethernet gives me zero-packets Andrej van der Zee (Apr 04)
- Re: live capture Ethernet gives me zero-packets Guy Harris (Apr 04)