[Winpcap-users] Retrieve packets using pcap_next_ex

Gianluca Varenni gianluca.varenni at cacetech.com
Wed Jan 30 18:49:33 GMT 2008 

You forgot to set the capture filter with pcap_compile/pcap_setfilter to udp packets. so you are capturing packets which are not udp (or not even ip) and then decoding them as udp.

 Have a nice day
GV
  ----- Original Message ----- 
  From: Ziara . 
  To: winpcap 
  Sent: Wednesday, January 30, 2008 5:13 AM
  Subject: [Winpcap-users] Retrieve packets using pcap_next_ex


  I'm trying retrieve upd packets with pcap_next_ex but I compare the results with this example in the manual using pcap_loop
   
  http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__tut6.html
   
  and  I think something it's wrong, because with pcap_next_ex give me incoherent ports and some ip's, what's happen? thanks
   
  // 4 bytes IP address
  typedef struct ip_address{
   u_char byte1;
   u_char byte2;
   u_char byte3;
   u_char byte4;
  }ip_address;
  // 20 bytes IP Header
  typedef struct ip_header{
   u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits)
   u_char tos; // Type of service
   u_short tlen; // Total length
   u_short identification; // Identification
   u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits)
   u_char ttl; // Time to live
   u_char proto; // Protocol
   u_short crc; // Header checksum
   ip_address saddr; // Source address
   ip_address daddr; // Destination address
   u_int op_pad; // Option + Padding -- NOT NEEDED!
  }ip_header;
  typedef struct udp_header{
   u_short sport;          // Source port
   u_short dport;          // Destination port
   u_short len;            // Datagram length
   u_short crc;            // Checksum
  }udp_header;
  int main()
  {
   pcap_if_t *alldevs;
   pcap_if_t *d;
   int inum;
   int i=0;
   pcap_t *adhandle;
   int res;
   char errbuf[PCAP_ERRBUF_SIZE];
   struct tm *ltime;
   char timestr[16];
   struct pcap_pkthdr *header;
   const u_char *pkt_data;
   time_t local_tv_sec;

      /* Retrieve the device list on the local machine */
      if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1)
      {
          fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
          exit(1);
      }
      /* Print the list */
      for(d=alldevs; d; d=d->next)
      {
          printf("%d. %s", ++i, d->name);
          if (d->description)
              printf(" (%s)\n", d->description);
          else
              printf(" (No description available)\n");
      }
      if(i==0)
      {
          printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
          return -1;
      }
      printf("Enter the interface number (1-%d):",i);
      scanf("%d", &inum);
      if(inum < 1 || inum > i)
      {
          printf("\nInterface number out of range.\n");
          /* Free the device list */
          pcap_freealldevs(alldevs);
          return -1;
      }
      /* Jump to the selected adapter */
      for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
      /* Open the device */
      if ( (adhandle= pcap_open(d->name,          // name of the device
                                65536,            // portion of the packet to capture.
                                                  // 65536 guarantees that the whole packet will be captured on all the link layers
                                PCAP_OPENFLAG_PROMISCUOUS,    // promiscuous mode
                                1000,             // read timeout
                                NULL,             // authentication on the remote machine
                                errbuf            // error buffer
                                ) ) == NULL)
      {
          fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);
          /* Free the device list */
          pcap_freealldevs(alldevs);
          return -1;
      }
      printf("\nlistening on %s...\n", d->description);
      /* At this point, we don't need any more the device list. Free it */
      pcap_freealldevs(alldevs);

  ip_header *ip; //ip header
  udp_header *udp;
  u_int ip_len;
  u_short sport,dport;

      while((res=pcap_next_ex( adhandle, &header, &pkt_data))>=0)
      {
              if(res == 0)
              //Timeout elapsed
              continue;
  ip = (ip_header*)(pkt_data + 14);
  ip_len = (ip->ver_ihl & 0xf) * 4; //Longitud de Ip header
  udp = (udp_header *)((u_char *)ip + ip_len);
  sport = ntohs( udp->sport );
  dport = ntohs( udp->dport );
  printf("Dir Sourc: %d.%d.%d.%d\n", ip->saddr.byte1,ip->saddr.byte2,ip->saddr.byte3,ip->saddr.byte4);
  printf("Dir Dest: %d.%d.%d.%d\n", ip->daddr.byte1,ip->daddr.byte2,ip->daddr.byte3,ip->daddr.byte4);
  printf("Port Sourc: %d\n", sport);
  printf("Port Dest: %d\n", dport);
   
      }
      if(res == -1){
          printf("Error reading the packets: %s\n", pcap_geterr(adhandle));
          return -1;
      }
      return 0;
  }


------------------------------------------------------------------------------
  Sigue de cerca las últimas tendencias y lo que más rompe MSN Vídeo 


------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080130/f09c62ee/attachment-0001.htm

More information about the Winpcap-users mailing list