[Winpcap-users] Some (stupid ?) questions from a newbie

Thu Sep 8 20:31:38 GMT 2005

On Sep 8, 2005, at 2:17 AM, Xavier Mataillet wrote:

> Here, I'm speaking of the pkt_data parameter of the packet_handler  
> function,
> not the pkt_header. If I'm correct, the structure of the ethernet  
> packet
> pkt_data points to is as follow :
>
> - Source MAC address (6 bytes).
> - Destination MAC address (6 bytes).
> - ??? (2 bytes).
> - Source IP & Destination IP (variable size ; typically about 20  
> bytes.)

No, that's the IP header, which contains more than just addresses; it  
also contains, for example, an indication of the protocol running  
atop IP, e.g. TCP or UDP, as the other reply said.

See, for example:

	http://www.protocols.com/pbook/tcpip2.htm#IP

> Then comes the UDP structure :
> - Source port (2 bytes).
> - Destination port (2 bytes).
> - Datagram length (2 bytes).
> - Checksum (2 bytes).
>
> 1) Is this correct ?

For the UDP structure, yes.

> 2) What is "???" (not a really important question but I'm curious  
> to know
> why the MAC addresses take 14 bytes rather than 12.)

They don't - as the other reply said, those 2 bytes are the type/ 
length field.  See, for example:

	http://wiki.ethereal.com/Ethernet

> 3) Are there other info about the packet after the Checksum ? If  
> not, after
> the checksum, begins the "truly raw" packet data, right ?

After the UDP checksum comes the UDP payload, which is, from the  
point of view of UDP (and protocols running below UDP, such as IPv4  
or IPv6 and the link-layer protocol), raw data.  (From the point of  
view of the protocol running *above* UDP, it's not raw, of course.)

> 4) What exactly is the "datagram length" ? It's generally totally  
> different
> from the "packet lenght" given by the packet header.

Which packet length?

There's a packet length you get from libpcap/WinPcap, which is the  
length the packet had on the link-layer network; that length includes  
the link-layer header (and trailer, if there is one) and whatever  
other headers exist between that and the IP header (e.g., 802.2 LLC,  
if present), the IP header, and, for UDP packets, the UDP header.

There's also a "captured packet length" from libpcap/WinPcap, which  
is the amount of that packet that was supplied to libpcap/WinPcap;  
this might be less than the packet length, if a snapshot length less  
than the packet length was specified to pcap_open() or pcap_open_live().

There's also a packet length in the IP header, which doesn't include  
the link-layer header and headers between it and the IP header, and  
doesn't include the link-layer trailer.  It might be less than the  
packet length minus the link-layer header and other header length, if  
there's a trailer, as there might be on Ethernet, for example.

The datagram length in UDP *should* be the same as the IP header's  
packet length minus the length of the IP header; I'm not sure why UDP  
has a datagram length (TCP doesn't have a segment data length, as  
that can be derived from the IP total length and header length).

> 5) How exactly packet_loop and the packet_handler functions  
> operate ? They
> capture the packets *before* they are sent to the ethernet card,  
> right (I
> mean, the outgoing ones, of course) ?

Right.

> So, if I modify the packet in the
> packet_handler function, it's a modified packet that will be sent  
> to the
> remote computer ?

Wrong.  A *copy* is given to libpcap/WinPcap; if you modify that  
copy, that will have no effect whatsoever on the packet sent to the  
remote computer.