> Exactly what is the structure of the raw packet returned from loop() ?
It's whatever a link-layer packet looks like on the particular type of interface from which you're reading. If, for example, it's an Ethernet interface - i.e., if "pcap_datalink()", when passed the "pcap_t" returned by "pcap_open_live()", returns DLT_EN10MB - then the raw packet has a 14-byte Ethernet/802.3 header, followed by whatever payload the machine transmitting the packet put there. In the case of Ethernet, you'd have to look at the type/length field; if it's > 1500, it's a type field, and the value of the type field determines what the payload is (for example, hex 0800 means it's an IPv4 packet, so after the 14-byte link-layer header comes an IPv4 header). If it's <= 1500, it's a length field, and the payload probably starts with an 802.2 LLC header (although if it starts with 0xFFFF, it's probably Netware running atop raw 802.3). Similar things would be done for other network types. I.e., there is no simple answer. Take a look at the "printers[]" table in "tcpdump.c" in the tcpdump source; there's a whole list of routines, which handle different DLT_ (data link) types. Then look at those routines; if you want to write a packet sniffer, you'll have to, at minimum, do what "ether_if_print()", and the routines it calls, does - and if you want to handle networks other than Ethernet, you'll have to do what some of the other "if_print" routines do. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
