(Redirected to [EMAIL PROTECTED]; LBL are no longer developing or supporting libpcap or tcpdump, as far as I can tell.)
> Could you tell me if it is possible to get the information about kind of > packet I caught? Let's assume I use bpf filter which allows only TCP and UDP > packets to go up my protocol stack. How can I recognize which one I have in > *p obtained from pcap_dispatch? By looking at the link-layer header to see whether the packet is an IP packet, and, if it is, skipping past the link-layer header to see whether the packet is a UDP or TCP packet. > Bpf does the header > checking so it could inform me that this packet is TCP and this one is UDP. "BPF" can refer to many different things. If it refers to the BPF interpreter in some kernels, and in libpcap, it has no idea whether a packet is TCP or UDP; all it knows is whether a BPF machine-language program returned a non-zero value or not - that program, and the interpreter that interprets it, has no deep semantic understanding of packet contents. You could, I guess compile the filter expressions "tcp" and "udp" into filters, using "pcap_compile()", and use "bpf_filter()" (which is part of the libpcap library, although it's not an officially documented API) to check whether the packet is BPF. However, once you've determined whether the packet is TCP or UDP, you might well then have to do more work on its contents, in which case you might want to know, for example, where the TCP or UDP payload is, or where the TCP or UDP headers are. As such, you might as well just look at the packet yourself, as I suggested in my first paragraph; that is, after all, what tcpdump, and Ethereal, and Ksnuffle, and Analyzer, and etherape, and... do with the packets they capture. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
