|
| chris wrote:
> I think there is something wrong with the way I am processing packets
> because the protocol numbers I extract from the IP header don't make sense
>
> Getting packets from the BPF device:
>
> #define bpfHeader ((struct bpf_hdr *) packet)
>
> for ( ; ; ) {
> if ( (nread = read(ps.bpf_fd, buf, len)) < 0)
> errSys("read error while reading from %s", ps.bpfpath);
>
> safeEndOfData = buf + (nread - sizeof(struct bpf_hdr));
>
> /* Process data */
> for(packet = buf; packet < safeEndOfData;
> packet += BPF_WORDALIGN(bpfHeader->bh_hdrlen +
> bpfHeader->bh_caplen))
> {
> packetStart = packet + bpfHeader->bh_hdrlen;
> toEndSize = nread - (packet - buf);
> capturedSize = bpfHeader->bh_caplen;
>
> /* Paranoya */
> if(toEndSize < capturedSize)
> capturedSize = toEndSize;
>
> processPacket(packetStart, capturedSize);
> }
>
> }
>
> Printing out the protocol number:
>
> int
> processPacket(void *packet, int size)
> {
> struct ip *iphdr;
>
> iphdr = (struct ip *) packet;
>
> printf("%d packet captured; %d bytes\n", ntohs(iphdr->ip_p), size);
> return 0;
> }
>
>
> Here is some output:
>
>
> Aurora:/Users/chris/dev/network/packetsniffer root# ./ps
> listening on en0
> using /dev/bpf0
> associated en0 with /dev/bpf0
> using data link type of EN10MB (Ethernet)
> interface put into promiscuous mode
> using buffer size of 4096 bytes
>
> staring packet capture...
>
> 144 packet captured; 112 bytes
> 144 packet captured; 104 bytes
Problem fixed:
packet += sizeof(struct ether_header);
iphdr = (struct ip *) packet;
printf("%02X packet captured; %d bytes\n", iphdr->ip_p, size);
I guess it had something to do with precedence?
|
|