Question
I'm learning with libpcap from this http://www.tcpdump.org/pcap.html and I've run into problem with this code:
https://stackoverflow.com/questions/20584686
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianstruct sniff_ethernet {
u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */
u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */
u_short ether_type; /* IP? ARP? RARP? etc */
};
...
const struct sniff_ethernet *ethernet; /* The ethernet header */
ethernet = (struct sniff_ethernet*)(packet);
I'm getting ether_type values with swapped bytes. I think the reason is that I'm using x86_64 little-endian machine where LSB is at lowest address and in the packet byte stream the ether_type MSB is before LSB. The question is: is the example code working on big-endian machine only or am I missing something?
Solution
The example code at http://www.tcpdump.org/pcap.html is not looking at the Ethernet type, so it works regardless of the byte order of the machine on which it's running. It's relying on the capture filter ("port 23") not to capture non-IPv4 traffic.
You'll have to, for example, use ntohs() on the ether_type field when you use its value in your code.
