i have followed code in here , fixed issue printing out ip address. worked when reads captured file machine , results same tcpdump. however, when read pcap file (captured boundary router of big network), gives me totally different ip addresses. found these pcap contains vlan in ethernet frames. how can detect if packet contains vlan header?
you'd have examine physical layer protocol (most ethernet nowadays) , determine ethernet type (the 13th , 14th bytes of ethernet header).you can view example list of possible ethernet types here.
if type 0x0800 (ipv4) should work expected.
however, if ethertype 0x8100 (802.1q) you'd have extract actual payload type vlan header (the 17th , 18th bytes)
here crude code bypass upper layers starting base address pointing @ ethernet beginning
char *get_ip_hdr(char *base) { // if frame not ethernet retun null uint16_t ether_type = ntohs(*(uint16_t *) (base + 12)); if (ether_type == 0x0800 ) { return base + 14; } else if (ether_type == 0x8100 ) { // vlan tag ether_type = ntohs(*(uint16_t *) (base + 16)); if (ether_type == 0x800) { return base + 18; } } return null } note wary of double vlan tagging , take necessary similar steps skip well.
Comments
Post a Comment