Reputation: 15
how to capture packets in pcap, and skip ethernet header
I am using
fp = pcap_open_dead(DLT_EN10MB,65535);
to capture frames in pcap format. But what fp = pcap_open_dead(**DLT_XXX** )
should I use if I want to skip the ethernet header. My module is working on layer 3 , so I want to capture packets starting from layer 3.
fp = pcap_open_dead(DLT_EN10MB,65535);
if (NULL == fp)
{
FPA_ERROR_PRINT("unable to open the dead interface \n");
return 1;
Any help will on this will be highly appreciated.
Thanks in advance.
Upvotes: 1
Views: 1845
Answers (2)
Reputation:
I am using
fp = pcap_open_dead(DLT_EN10MB,65535);to capture frames in pcap format.
Presumably you mean "to write frames to a file in pcap format"; the "dead" in "pcap_open_dead" means "not live", as in "you can't capture packets from this".
(It's necessary because the pcap_dump_open() call doesn't take a DLT_ value and a snapshot length as a type, it takes a pcap_t * and gets the DLT_ value and snapshot length from there. That's convenient if you're saving packets from a live capture you opened with pcap_open_live() or pcap_create()/pcap_activate(), or another capture file you opened with pcap_open_offline(), but it's not very convenient if the packets aren't coming from libpcap/WinPcap.)
But what fp = pcap_open_dead(DLT_XXX ) should I use if I want to skip the ethernet header. My module is working on layer 3 , so I want to capture packets starting from layer 3.
If "layer 3" means "IP", so that all your packets are IPv4 or IPv6 packets, you want DLT_RAW.
Skipping the Ethernet header, however, is your job. If whatever mechanism is supplying the captured frames is supplying frames with Ethernet headers, then you have to skip the Ethernet header - and discard frames where the type/length field in the Ethernet header is anything other than 0x0800 for IPv4 or 0x86dd for IPv6 - and calculate the appropriate captured length and on-the-wire length (14 bytes fewer than the captured and on-the-wire lengths of the frames with Ethernet headers; if either of those are less than or equal to 14, discard the frame), and hand those, along with a pointer to the data after the Ethernet header to pcap_dump().
Upvotes: 0
Reputation: 350
I don't think you can. You need to manually skip the Ethernet header part when parsing the packet buffer.
Upvotes: 1
Related Questions
- Issue sniffing PCAP
- PCAP Coding :: My Code is Setting the Wrong Type of Ethernet
- Good capture with pcap_next_ex(), but different Ethernet Header sizes. 14 with Ubuntu, 4 with FreeBSD
- How to add a fake ethernet header to a capture
- How to filter MAC addresses using tcpdump?
- parse IP and TCP header (especially common tcp header options)of packets captured by libpcap
- How to save Ethernet frames in pcap format
- libpcap format - packet header - incl_len / orig_len
- why the ethernet and ip header of packets, which are captured by libpcap function, are distorted
- How do I get Wireshark to read header-less pcap files without a UDP/IP/Ethernet header?