On Sat, Jan 19, 2002 at 10:24:19AM +0800, ¬�鴺 wrote: > Dear tcpdump-workers: > in the pcap_loop(pObject->fp, 0, dispatcher_handler, (PUCHAR)pParam); > we need deal with the dispather_hander routine, as > void dispatcher_handler(u_char *pParam,const struct pcap_pkthdr *header, > const u_char *pkt_data) > There are three arguments in it,i'm puzzled with these argument and want > to know the explicit meaning. > Is header->caplen the length of pkt_data ?
Yes. The mechanisms in many operating systems that allow packets to be captured allow a "snapshot length" to be set. The "snapshot length" is in units of bytes; no more than that many bytes will be copied from the OS kernel to the user-mode code using that capture mechanism. If not all of the data in the packet is needed - for example, if you're just trying to watch the behavior of TCP - a smaller snapshot length reduces the amount of CPU time spent copying data, and may reduce the chances that packets will be dropped. "header->caplen" is the number of bytes of packet data copied to user mode, and is thus the number of bytes of packet data libpcap can provide to the application using it. "header->len" is the actual length of the packet as it arrived (or was transmitted); it may be larger than "header->caplen" - if it is, only "header->caplen" bytes are available. > Is pkt_data a ip packet of a ethernet data? "pkt_data" is the raw data from the packet capture mechanism. If you're capturing on an Ethernet device, it will be an Ethernet packet, so the first 14 bytes of "pkt_data" will be an Ethernet header. If the packet is an IPv4 packet - i.e., if the last 2 bytes, treated as a big-endian number, are hex 800 - then the bytes after the Ethernet header are an IPv4 packet, starting with an IPv4 header. There are other types of networking devices; the drivers for some of them may well supply IP packets to the packet capture mechanism, with no link-layer header. The type of device can be determined by calling "pcap_datalink()" on the "pcap_t *" returned by "pcap_open_live()" (or "pcap_open_offline()"); DLT_EN10MB is the value for Ethernet devices. > what relation is there between header and pkt_data? "header" points to a structure giving information about the packet whose data is pointed to by "pkt_data". - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
