Question

I'm working with libpcap in C on linux (centos) and I'm following this guide I want to simply print out the entire packet in ascii and i'v managed to get it working by casting it a u_char* in the "my_callback" function. But I can't figure out how to get the length of the data. strstr didn't work. the header has a len member that you can access to get the size but I can't find anything similar for the *packet being passed. Any help is appreciated.

Was it helpful?

Solution

In your callback the caplen member of the pkthdr variable (see struct pcap_pkthdr) contains the size of the captured packet.

For example assume a packet is captured. The total length of the frame is 1024 bytes. However the capture driver only captured the first 128 bytes of the frame and made it available to your callback.

In this case you should expect pkthdr->caplen to be 128 and header->len to be 1024.

OTHER TIPS

The total packet size is at the "total length" field at the ip header (http://en.wikipedia.org/wiki/IPv4_header#Total_Length).

How to get that value with libpcap can be found at this example: http://www.tcpdump.org/sniffex.c

You just have to get the value of the field that references to the "total length" (named ip_len) from this variable:

const struct sniff_ip *ip;              /* The IP header */
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top