[Winpcap-users] Question about how to interpertate the pkt_data

[Guy Harris]

On Jan 19, 2009, at 7:49 AM, Wu Bo (ST-VS/EAP2.3) wrote:

> Q: If I'm using either UDP or TCP, what bytes are containing these
> information?

As others have explained, that's the wrong protocol layer.  You need  
to know what protocol is running *on top of* UDP or TCP, such as FTP,  
HTTP, SMB, AFP, Telnet, etc..

> 5) I'm curring using whether 100Mb and 1000Mb ethernet. If I called
> pcap_datalink(), does this function return DLT_EN10MB?

Yes.  DLT_EN10MB was given its name about 20 years ago; the original  
developers of BPF seem to have picked ARP hardware address type values  
as DLT_ values, and, as ARP was developed over 25 years ago, they  
decided to assign one hardware type to the 10 megabit/second Ethernet  
being used at the time and another one for the Xerox 3 megabit/second  
experimental Ethernet that was the predecessor to the 10 Mb/s  
Ethernet.  The DLT_ values were thus given the names DLT_EN10MB and  
DLT_EN3MB to distinguish between the two different types of Ethernet.

That distinction was important because 3 megabit Ethernet had, as far  
as I know, a different packet format, including a different address  
format.

All subsequent versions of Ethernet have the same header format, so  
the same ARP hardware type is used for all of them, and the same DLT_  
value, DLT_EN10MB, is used for all of them, regardless of the speed.