How can I parse an ethernet packet using libpcap?

Question

How can I parse an ethernet packet using libpcap?

I use libpcap in C ++ to read packages from pcap files, for example:

rc = pcap_next_ex((pcap_t*)handle, &header, (const unsigned char**)packet);

I would like to parse the packet header (no payload).

For example, how can I parse a given packet to extract its source and destintation IP addresses?

thanks

+4

c ++ parsing packet libpcap

user515766 May 24, '11 at 13:52

source share

2 answers

Ioannis Pappas · Answer 1 · 2011-06-24T14:56:13+0000

Get sample code for libpcap http://www.tcpdump.org/pcap.html

In got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet); function got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet); there is a *packet pointer pointing to the beginning of the packet. To parse ethernet headers you just need to use the appropriate pointer

 ethernet = (struct sniff_ethernet*)(packet);

For IP level

 ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);

If you want to parse other protocols, you just need to define your own structures. If you want (or do not want) to analyze the payload, you can (or not) define a pointer to the beginning of the payload.

cpx · Answer 2 · 2011-05-24T14:31:11+0000

The IP header data fields are packed in big-endian order, and the packet payload is attached immediately after the IP header. see example here

How can I parse an ethernet packet using libpcap?

More articles: