I'm having some problems with this I think. This is what my code looks like
(irrelevant bits omitted):
struct ip *ip_packet = (struct ip*)(packet + sizeof(struct ether_header));
struct tcphdr *tcp_packet = (struct tcphdr*)(packet + sizeof(struct
ether_header)
+ sizeof(struct ip));
if(ip_packet->ip_hl >= 5)
{
if(ip_packet->ip_len > (4 * ip_packet->ip_hl))
{
int tcp_length = ip_packet->ip_len - (4 * ip_packet->ip_hl);
if(tcp_packet->doff >= 5)
{
if(tcp_length > (tcp_packet->doff * 4))
{
int payload_length = tcp_length - (tcp_packet->doff * 4);
ofstream out("payload_sizes2", ios::app);
out << payload_length << endl;
out.close();
}
}
}
}
Does this look correct? I've also got a program written in Java that does
the same thing as this (using Jpcap, http://jpcap.sourceforge.net) and
running the two programs on the same data gives different values. For
example, the first 5 values given by my Java program are 5, 0, 0, 0, 0
whereas using libpcap with C/C++ gives 14540, 13260, 12240, 15300, 12240.
I've also asked on Jpcap's forum.
Regards,
Nicky Chorley
On 08/08/2007, Nick Chorley <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I have found another post in the mailing list about this (
> http://www.tcpdump.org/lists/workers/2005/05/msg00021.html), but it
> appears to use structs sniff_ip and sniff_tcp that are declared in the
> sniffex program. In my program, I'm using the structs for the IP and TCP
> headers as defined in netinet/ip.h and netinet/tcp.h, respectively. Is there
> a way to get the TCP payload length using these, or do I necessarily need to
> "create" my own structs?
>
> On another (unrelated note), is there no search facility for the mailing
> lists?
>
> Regards,
>
> Nicky Chorley
>
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
