endianness,libpcap , Trouble capturing IP packets with libpcap


Trouble capturing IP packets with libpcap

Question:

Tag: endianness,libpcap

First the structs:

/* Ethernet addresses are 6 bytes */
#define ETHER_ADDR_LEN  6

/* Ethernet header */
struct sniff_ethernet {
    u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */
    u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */
    u_short ether_type; /* IP? ARP? RARP? etc */
};
#define ETHERTYPE_IP        0x0800      /* IP */

/* IP header */
struct sniff_ip {
    u_char ip_vhl;      /* version << 4 | header length >> 2 */
    u_char ip_tos;      /* type of service */
    u_short ip_len;     /* total length */
    u_short ip_id;      /* identification */
    u_short ip_off;     /* fragment offset field */
    u_char ip_ttl;      /* time to live */
    u_char ip_p;        /* protocol */
    u_short ip_sum;     /* checksum */
    struct in_addr ip_src,ip_dst; /* source and dest address */
};
#define IP_HL(ip)       (((ip)->ip_vhl) & 0x0f)
#define IP_V(ip)        (((ip)->ip_vhl) >> 4)

I have opened the network device with pcap_open_live, the pcap_datalink is DLT_EN10MB for that device, but I am receiving lots of IP headers with 0 length, weird version number, etc. Here's a snippet that outputs this:

    eth = (struct sniff_ethernet*)(packet);
    ip = (struct sniff_ip*)(eth + 14); /* ETHERNET = 14 */
    int version_ip = IP_V(ip);
    int size_ip = IP_HL(ip)*4;

     printf("caplen=%d len=%d eth->type=%d version_ip=%d size_ip=%d !\n", header.caplen, header.len, eth->ether_type, version_ip, size_ip);

And some sample output:

caplen=94 len=94 eth->type=8 version_ip=0 size_ip=0 !
caplen=159 len=159 eth->type=8 version_ip=9 size_ip=12 !
caplen=110 len=110 eth->type=8 version_ip=0 size_ip=12 !
caplen=200 len=336 eth->type=8 version_ip=4 size_ip=20 ! (this one is OK)

What is going on here?


Answer:

Found the problem...

eth = (struct sniff_ethernet*)(packet);
ip = (struct sniff_ip*)(eth + 14); /* should be (packet + 14) */

The 'smart' C pointer arithmetics doesn't add 14 bytes, but 14*sizeof(struct sniff_ethernet).


Related:


Is it possible to check if an interface is activated in pcap?


c++,assert,pcap,libpcap
I am making a basic packet sniffer using pcap.h. While I was unit testing the function that called pcap_dispatch, I gave it non-activated interfaces and invalid interfaces. pcap_dispatch return -3, and as far as the man pages for pcap_dispatch goes, it should only return -2, -1, or more, but never...

Porting C endianness & pointers black magic to Swift


c,swift,pointers,endianness
I'm trying to translate this snippet : ntohs(*(UInt16*)VALUE) / 4.0 and some other ones, looking alike, from C to Swift. Problem is, I have very few knowledge of Swift and I just can't understand what this snippet does... Here's all I know : ntohs swap endianness to host endianness VALUE...

Java: Efficiently converting an array of longs to an array of bytes


java,arrays,type-conversion,long-integer,endianness
I have an array of longs I want to write to disk. The most efficient disk I/O functions take in byte arrays, for example: FileOutputStream.write(byte[] b, int offset, int length) ...so I want to begin by converting my long[] to byte[] (8 bytes for each long). I'm struggling to find...

How to swap endianness of Int16 without BitConverter


c#,.net,binary,bit-manipulation,endianness
I need to read binary files containing millions of Int16 stored as big endian. My first method was to use BitConverter and Array.Reverse() but that appears too slow for my purpose. Is there a way to do it with bitwise arithmetic instead ?...

Using libpcap to library sample dump files


sample,libpcap,bpf
Using libpcap has proven really easy, but, speed is always an issue with giant (in an arbitrary sense) .pcap dumps. Are there any common practices for just sampling a dump? Perhaps something that effectively says "Read every fifth frame" as the pcap filter, Or should I simply just do nothing...

How do I do a bit-wise XOR on NSData in Objective-C?


objective-c,xcode5,nsdata,endianness,xor
I have two NSData objects, data1 and data2, and I'd like to do a bit-wise XOR and store the result in a third NSData object, xorData. The first thing I tried was this: *data1.bytes^*data2.bytes; but it gave an error of: Invalid operands to binary expression ('const void' and 'const void')...

Convert a char array into an integer (big and little endian)


c,linux-kernel,endianness
I am trying to convert a char array into integer, then I have to increment that integer (both in little and big endian). Example: char ary[6 ] = { 01,02,03,04,05,06}; long int b=0; // 64 bits this char will be stored in memory address 0 1 2 3 4 5...

How do I turn on nanosecond precision when capturing live traffic?


c,linux,pcap,libpcap,packet-capture
How do I tell libpcap v1.6.2 to store nanosecond values in struct pcap_pkthdr::ts.tv_usec (instead of microsecond values) when capturing live packets? (Note: This question is similar to How to enable nanosecond resolution when capturing live packets in libpcap? but that question is vague enough that I decided to ask a...

pcap_dispatch() always returns 0 on Mac OSX for wifi interface


osx,pcap,libpcap,arp
I have few devices connected to wifi router, but pcap_dispatch() always returns 0 for wifi interface while live capturing on Mac OS X. The same code captures response in case of wired interface. Please clarify if I have missed any flag here.

Are Berkeley Packet Filter opcode values implementation defined?


kernel,libpcap,tcpdump,bpf
Are Berkeley Packet Filter opcode values implementation defined? I always thought of tcpdump/libpcap as authoritative in the BPF arena. I noticed that the linux kernel and tcpdump read BPF filters differently. The BPF mnemonics and behavior is the same, but the actual opcode values themselves seem different. I went looking...

Do word size and endianness interplay when writing cross platform bit level code?


c#,endianness
I was just looking at this answer which gives the following sample code to convert an int to an array of bytes: int intValue; byte[] intBytes = BitConverter.GetBytes(intValue); if (BitConverter.IsLittleEndian) Array.Reverse(intBytes); byte[] result = intBytes; I looked up Endianness and found that the reversal of bytes (or lack thereof) is...

Clean way to make portable endian-correct file-reading / writing code in C++


c++,boost,endianness
I want to write some C++ code that can read and write from files in an endian-correct way. More exactly, I want to be able to read a particular type of file, whose endianness I can easily detect (its magic number being reversed or not). But how would I then...

Blowfish encryption and decryption across c sockets


c++,sockets,encryption,endianness,blowfish
I'm using the following implementation of blowfish (with some stuff cut out of the middle) to encrypt and decrypt messages. I am attempting to encrypt a message on a big endian machine (SunOS 5.10), and then send it over a socket to a little endian machine (linux). I can encrypt...

How can I simulate an environment where BitConverter.IsLittleEndian is the opposite for my unit tests?


c#,.net,unit-testing,endianness
I am using the two methods BitConverter.GetBytes and Array.Reverse to read and write binary data from a file due the endianness. My unit tests are passing and the implementation seems fine. How can I simulate an environment where BitConverter.IsLittleEndian is the opposite for my unit tests?...

Does zlib's “uncompress” preserve the data's original endianness, or does it do an endian conversion?


zlib,endianness,uncompress
I am working with legacy C++ code that accesses two-byte integer data compressed in a sqlite database. The code uses zlib's uncompress function to extract the data, which comes out on my little-endian machine as little-endian values. To allow for the possibility that this code may be ported to big-endian...

How can a C++ template be specialized for all 32-bit POD types?


c++,templates,endianness,template-specialization,specialization
I've developed a simple template function for swapping the byte order of a single field: template <typename T> inline void SwapEndian(T& ptr) { char *bytes = reinterpret_cast<char*>(&ptr); int a = sizeof(T) / 2; while (a--) { char tmp = bytes[a]; int b = sizeof(T) - 1 - a; bytes[a] =...

Read libcap file with specific endianness


c,network-programming,endianness,tcpdump
I wrote a c-lang program to read a .pcap file.What fogs me is that the data I read was with a different endianness as to WireShark. I'm working on X86 ach, as I can see, it's LittleEndian. So, can I read the .pcap file with BigEndian? How? Code fragments: /*...

Store typed array in ArrayBuffer


javascript,endianness,arraybuffer,typed-arrays
I have an ArrayBuffer of data which is composed of Uint8s. Each is in network byte order (big-endian). My goal is to convert each Uint8 into little-endian order, but then put them back in the ArrayBuffer. I know I can easily separate the individual Uints by using a typed array,...

writing pcap packets into a structure with libpcap


pcap,libpcap,winpcap
I have a pcap file captured by wireshark, now I need to read each packet of it and write them to a vector of structure. I got some promblem with writing packets into the structure. the structure: struct pktStruct { struct pcap_pkthdr * pkt_header; // header object const u_char *...

Trouble capturing IP packets with libpcap


endianness,libpcap
First the structs: /* Ethernet addresses are 6 bytes */ #define ETHER_ADDR_LEN 6 /* Ethernet header */ struct sniff_ethernet { u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */ u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */ u_short ether_type; /* IP? ARP? RARP? etc */ }; #define ETHERTYPE_IP 0x0800 /* IP */ /*...

gethostbyname and endianness - how are the bytes returned?


winapi,language-agnostic,winsock,endianness
On my (Intel) x86 machine, I've noticed that if I printf the results of gethostbyname for localhost, I get 100007F, even though the MSDN documentation states it should return the IP in network byte order, aka big endian. I searched a bit and found this topic. Based on the answers...

How to merge two pcap files with libpcap?


pcap,libpcap,winpcap
I already know how to read a pcap file and get the packets it have.B ut how can I write the packets into a new pcap file? I need this to merge two pcap files into one.

Explanation of HEX value representation and Endianess


c,hex,endianness
I was working on a script to basically output some sample data as a binary blob. I'm a new intern in the software field and vaguely remember the idea of endianness. I realize that the most significant bits for big-endian starts at the top and works down the memory block....

capture traffic from emulator to a server on the same machine


android,http,ios-simulator,pcap,libpcap
I am trying to capture http traffic using pcap4j from an android emulator / ios simulator to a server which is hosted on the same machine. The machine can run either linux / windows or osx. I tried capturing packets from wireshark first for testing, but it didn't catch any....

Why conditional byte order is bad?


endianness,byte-order
Linus claims[12] that conditional byte order is worse than silly. The first thing comes to my mind is ZFS but surely there must be other examples. He wrote: The only sane model is to specify one fixed byte order. Seriously. It's equally portable, it generates better code - even on...