C PF_PACKET Link-layer Processing
https://stackoverflow.com/questions/8696746
-
11-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to figure out the data structure that is stored in 'buffer' after the following:
sock=socket(PF_PACKET, SOCK_RAW, htons(ETHERTYPE_IP));
recvfrom(sock, buffer, 2048, 0, NULL, NULL);
I'd like to be able to poke into the data structure and read in the link-layer, IP layer, and TCP layer if it is a TCP packet. I tried the man pages, and some header files, but have it's just all over the place.
Thanks in advance.
Solution
I believe what you're after is the RFC that specifies how IP is encapsulated in Ethernet. Sadly that RFC is very thin, but a more recent RFC includes significantly more detail.
OTHER TIPS
This is the raw bits that go over the wire (OSI layer 2). The man page for packet explains it pretty well.
What I would do is to get the output of this and compare it to the output of a Wireshark session looking at the same data. You then should be able to correlate the two and see what's going on.
