SV: [Winpcap-users] how to open the IP packet data

Vidar Evenrud Seeberg vseeberg at netcom.no
Thu Feb 9 17:27:58 GMT 2006 

Hello Mario!

I am also quite new to winpcap, but here are some code to extract the
payload:

You need some structs::

struct ethernet_header {
        u_char  ether_dhost[ETHER_ADDR_LEN];    /* destination host address
*/
        u_char  ether_shost[ETHER_ADDR_LEN];    /* source host address */
        u_short ether_type;                     /* IP? ARP? RARP? etc */
};

// 6 byte MAC Address 
typedef struct mac_address { 
    u_char byte1; 
    u_char byte2; 
    u_char byte3; 
    u_char byte4; 
	u_char byte5; 
	u_char byte6; 
}mac_address; 


// 4 bytes IP address 
typedef struct ip_address{ 
    u_char byte1; 
    u_char byte2; 
    u_char byte3; 
    u_char byte4; 
}ip_address; 


// 20 bytes IP Header 
typedef struct ip_header{ 
    u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits) 
    u_char tos; // Type of service 
    u_short tlen; // Total length 
    u_short identification; // Identification 
    u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits) 
    u_char ttl; // Time to live 
    u_char proto; // Protocol 
    u_short crc; // Header checksum 
    ip_address saddr; // Source address 
    ip_address daddr; // Destination address 
	// u_int op_pad; // Option + Padding -- NOT NEEDED! 
}ip_header; 

//"Simple" struct for TCP
typedef struct tcp_header { 
	u_short sport; // Source port 
	u_short dport; // Destination port 
	u_int seqnum; // Sequence Number 
	u_int acknum; // Acknowledgement number 
	u_char th_off; // Header length 
	u_char flags; // packet flags 
	u_short win; // Window size 
	u_short crc; // Header Checksum 
	u_short urgptr; // Urgent pointer...still don't know what this is...

}tcp_header;  



In main():
const struct ethernet_header *ethernet;	/* The ethernet header */
const struct ip_header *ip;			/* The IP header */
const struct tcp_header *tcp;			/* The TCP header */
char *payload;					/* Pointer to packet payload
*/
ethernet = (struct ethernet_header*)(pkt_data);
ip = (struct ip_header*)(pkt_data + SIZE_ETHERNET);
size_ip = (ip->ver_ihl & 0xf) * 4; //Gets length of IP header with options
if (size_ip < 20) {
	printf("   * Invalid IP header length: %u bytes\n", size_ip);
	return NULL;
}
tcp = (struct tcp_header*)(pkt_data + SIZE_ETHERNET + size_ip); //TCP header
size_tcp = tcp->th_off/4;
if (size_tcp < 20) {
	printf("   * Invalid TCP header length: %u bytes\n", size_tcp);
	return  NULL;
}
payload = (u_char *)(pkt_data + SIZE_ETHERNET + size_ip + size_tcp); //This
is a pointer to the payload


Now payload can be treated as a regular pointer to a "string".


Good luck
Vidar
________________________________

Fra: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] På vegne av Mario und Martina
Müller
Sendt: 9. februar 2006 17:46
Til: winpcap-users at winpcap.org
Emne: [Winpcap-users] how to open the IP packet data


Hi,
 

in the tutorial for interpreting the packets i can see only the interpration
of the IP packet without the data-part of it.
 
how can i read the data part of the IP-packet?
 

thanx for help
 
Mario

More information about the Winpcap-users mailing list