Reputation: 37
How to get IP address from ICMP packets using jnetpcap
I am using jnetpcap to analyze pcap files. I know how to get addresses when I encounter IP header
if(packet.hasHeader(ip)&&packet.hasHeader(tcp)&&tcp.flags_SYN())
{
sIP = packet.getHeader(ip).source();
sourceIP = org.jnetpcap.packet.format.FormatUtils.ip(sIP);
but I don't know how to get the address when I have the ICMP header. I tried this
else if(packet.hasHeader(icmp))
{
sIP=packet.getHeader(icmp).source();
sourceIP = org.jnetpcap.packet.format.FormatUtils.ip(sIP);
but apparently, it isn't valid. Any ideas? Thank you in advance
UPDATE: I used
if(packet.hasHeader(ip, 1)) {
sIP=ip.source();
sourceIP = org.jnetpcap.packet.format.FormatUtils.ip(sIP);}
but I got an error:
Exception in thread "main" java.lang.NullPointerException at diplomatiki.Ex2.main(Ex2.java:83)
Line 83 contains the command:
sIP=packet.getHeader(ip,1).source();
I tried to hit Mark's advice, and added
System.out.println(packet.getState().toDebugString());
I realized that the program got stuck on the third packet, so I tried to get what's in the fourth. This is what I got:
JMemory: JMemory@4b8838class org.jnetpcap.packet.JPacket$State: size=240 bytes
JMemory: owner=packet.JScanner.class(size=136528/offset=35128)
JPacket.State#004: sizeof(packet_state_t)=120
JPacket.State#004: sizeof(header_t)=40 and *3=120
JPacket.State#004: pkt_header_map=0x16
JPacket.State#004: pkt_flags=0x0
JPacket.State#004: pkt_header_count=3
JPacket.State#004: pkt_wirelen=62
JPacket.State#004 : [ Protocol(ID/Flag) | Start | Prefix | Header | Gap | Payload | Postfix ]
JPacket.State#004[0]: [ ETHERNET( 1/0800) | 0 | 0 | 14 | 0 | 48 | 0 ]
JPacket.State#004[1]: [ IP4( 2/0800) | 14 | 0 | 20 | 0 | 28 | 0 ]
JPacket.State#004[2]: [ TCP( 4/0800) | 34 | 0 | 28 | 0 | 0 | 0 ]
Does it say anything to you?
Upvotes: 1
Views: 1416
Answers (2)
Reputation: 188
You are still using getHeader instance 1 where it doesn't exist (i.e. in 4th packet). Again, I would advise you to use hasHeader instead. Same result but does not throw null exceptions when the header instance does not exist. If you also need ICMP header then combine them on a single if() statement:
if(packet.hasHeader(ip, 1) && packet.hasHeader(icmp)) {
sIP = ip.source();
}
Upvotes: 0
Reputation: 36
Hi the correct usage is to use the packet.hasHeader(ip, 1). This will get second instance of IPv4 and binding it with the packet. Also note that your usage of getHeader is redundant. The hasHeader automatically binds the header to packet if the header exists.
i.e.
if(packet.hasHeader(ip, 1)) {
sIP=ip.source();
sourceIP = org.jnetpcap.packet.format.FormatUtils.ip(sIP);
}
To help visualize and for debugging purposes and see exactly which headers have been dissected and are stored in the packet state table use the following code snippet to dump the contents:
System.out.println(packet.getState().toDebugString());
Hope this helps.
Upvotes: 1
Related Questions
- getting ip address of a packet in pcap file
- Display IP address from packets
- How do I get the sender IP address from a packet in a PCAP file?
- JNetPcap Capture Packages No IPs returned
- Extracting packet details using jnetpcap library
- Capturing icmp packets in pcap.net
- Jnetpcap, preparing UDP/TCP/IP/ICMP packet
- How to capture ip address using jpcap in java
- jNetPcap - Analysing ARP packets from a PCAP file
- Reading header info from pcap packet