Same IP Addresses while capturing Packets under Linux (C Program) - c

I am receiving network packets by writing a code in c. So far I am receiving packets correctly but the only problem I'm facing is that I'm having same IP addresses for Ethernet, TCP and UDP. i'm not having any trouble while receiving via tcpdump.
Ethernet source of my system is: b0:10:41:fc:d7:2f
And IP address of my interface is: 192.168.10.145
These are received packets:
162 >>> Received packet with 66 bytes: Ethernet src:
b0:10:41:fc:d7:2f dst: b0:10:41:fc:d7:2f type: 0x800 IP version: 4
ihl: 5 ttl: 64 protocol: 6 src: 192.168.10.145 dst 192.168.10.145 TCP
src: 46888 dst: 80 seq: 3048209837 win: 4508 ACK 000000: b728 0050
b5af fdad 0e1d 21a1 8010 119c .(.P......!..... 0x0010: e258 0000
0101 080a 5a05 1f81 0595 4669
163 >>> Received packet with 66 bytes: Ethernet src:
b0:10:41:fc:d7:2f dst: b0:10:41:fc:d7:2f type: 0x800 IP version: 4
ihl: 5 ttl: 64 protocol: 6 src: 192.168.10.145 dst 192.168.10.145 TCP
src: 38836 dst: 443 seq: 1969857171 win: 341 ACK 000000: 97b4 01bb
7569 a293 0473 15bc 8010 0155 ....ui...s.....U 0x0010: 11f1 0000
0101 080a 4011 29b5 45f5 c4da
164 >>> Received packet with 1024 bytes: Ethernet src:
0:1a:a0:3f:d6:fc dst: 0:1a:a0:3f:d6:fc type: 0x800 IP version: 4 ihl:
5 ttl: 64 protocol: 6 src: 110.93.233.24 dst 110.93.233.24 TCP src:
80 dst: 46888 seq: 236790177 win: 595 ACK 000000: 0050 b728 0e1d
21a1 b5af fdad 8010 0253 .P.(..!........S 0x0010: 6e5f 0000 0101
080a 0595 46a1 5a05 199a n_........F.Z... 0x0020: f107 eb73 1b82
1492 c88f e84c 101a 9416 ...s.......L.... 0x0030: 9a27 900f 2020
1985 836f 79d5 8a26 15fa .'.. ...oy..&..
And this is my code:
layer2: {
struct ethhdr *eth = (struct ethhdr*) data;
printf("\tEthernet src: %s dst: %s type: %#04x\n",
ether_ntoa((const struct ether_addr*) eth->h_source),
ether_ntoa((const struct ether_addr*) eth->h_dest),
ntohs(eth->h_proto)
);
protocol = ntohs(eth->h_proto);
next_hdr = (char *) (eth + 1);}
layer3: switch (protocol) {
case ETH_P_IP: {
/* Parse IP protocol */
struct iphdr *ip = (struct iphdr*) next_hdr;
char buf[32];
printf("\tIP version: %u ihl: %u ttl: %u protocol: %u src: %s dst %s\n",
ip->version,
ip->ihl,
ip->ttl,
ip->protocol,
inet_ntop(AF_INET, &ip->saddr, buf, sizeof(buf)),
inet_ntop(AF_INET, &ip->daddr, buf, sizeof(buf))
);
What am I doing wrong ?

You're using the same buf to hold both IP addresses:
inet_ntop(AF_INET, &ip->saddr, buf, sizeof(buf)),
inet_ntop(AF_INET, &ip->daddr, buf, sizeof(buf))
Because you're using the same buffer, and both calls to inet_ntop() are done before the call to printf(), the last call to inet_ntop() will overwrite the results from the first call.

If following the first Advise, wouldn't work. Maybe you need a Buffer for Ethernet too ?
E.g.
struct ethhdr *eth = (struct ethhdr *)Buffer;
and get the Data with
eth->h_dest[0] , eth->h_dest[1] , eth->h_dest[2] , eth->h_dest[3] , eth->h_dest[4] , >eth->h_dest[5]
?

Related

Sending don't fragment UDP packets at the server and receiving fragmented packets at the client

I've created a program in C that sends data with UDP packets.
Socket is made don't fragment using
int optval = IP_PMTUDISC_DO;
if(setsockopt(sd,IPPROTO_IP,IP_MTU_DISCOVER,&optval,sizeof(int))!=0)
{
perror("setsocketopt()");
return 0;
}
Checking with TSHARK at the server (debian 8 KVM virtualizied), for all packets don't fragment has been set:
But at the client, large packets receiving fragmented!!
Then I figured something more wired. The IPv4 ID field has been set to 0!
I thought it might be because of the don't fragment effect (because no packet is going to be fragmented).
Then I started Openvpn program and sniffed its packets at the server but the packets had IPv4 ID != 0 while don't fragment was set.
Do you guys have any idea that why is this happening to me?!
Edit: Here is another sample of a large packet at server copy and pasted from tshark result.
Frame 1049: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits) on interface 0
Ethernet II, Src: server_mac, Dst: gateway_mac
Internet Protocol Version 4, Src: server_ip, Dst: client_ip
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 1500
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xa52d [validation disabled]
[Good: False]
[Bad: False]
Source: server_ip
Destination: client_ip
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 7554 (7554), Dst Port: 45376 (45376)
Data (1472 bytes)
Like you see, don't fragment has been set, while all packets larger than PMTU are receiving fragmented to client side.
This is a packet trace example of openvpn on the same server. like you see it at least has IPv4 ID calculated!
Frame 3749: 1455 bytes on wire (11640 bits), 1455 bytes captured (11640 bits) on interface 0
Ethernet II, Src: SERVER_MAC, Dst: GATEWAY_MAC
Internet Protocol Version 4, Src: SERVER_IP, Dst: CLIENT_IP
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 1441
Identification: 0xcc96 (52374)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xe252 [validation disabled]
[Good: False]
[Bad: False]
Source: SERVER_IP
Destination: CLIENT_IP
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 19234 (19234), Dst Port: 46921 (46921)
Data (1413 bytes)

Why can't I capture raw packet even though tcpdump can?

I'm trying to capture port-mirroring packets using raw socket (skipped error checking to show only main code):
int sock = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
int size = recvfrom(sock, buf, 65536, 0, &saddr, &saddr_size);
struct iphdr* iph = (struct iphdr*)(buf + sizeof(struct ethhdr));
if (iph->protocol != 6 || iph->saddr != inet_addr("192.168.12.48")) return;
printf("got it\n");
Although tcpdump can capture the packets, my program can't. Here's a dump of a packet:
22:19:42.140498 IP (tos 0x0, ttl 54, id 42987, offset 0, flags [DF], proto TCP (6), length 52)
192.168.12.48.33011 > 172.16.103.12.57102: Flags [.], cksum 0xf4ef (correct), ack 7, win 186, options [nop,nop,TS val 1950796524 ecr 3768292988], length 0
0x0000: 4500 0034 a7eb 4000 3606 bce3 c0a8 0c30 E..4..#.6......0
0x0010: ac10 670c 80f3 df0e 983d f043 d1c7 3087 ..g......=.C..0.
0x0020: 8010 00ba f4ef 0000 0101 080a 7446 caec ............tF..
0x0030: e09b 967c ...|
I'm using CentOS 6.5 kernel 2.6.32-431.29.2.el6.x86_64. I already disabled firewall and set rp_filter to 0. Does anyone know how to capture such packets in C?

Why does my pc send more than 1514 byte packet in one go

I wrote a program to send 1460 byte data using TCP client and server continuously. My system interface MTU is 1500.
Here is my program of client
if((sockfd = socket(AF_INET, SOCK_STREAM, 0))< 0)
{
printf("\n Error : Could not create socket \n");
return 1;
}
setsockopt(sockfd,SOL_TCP,TCP_NODELAY,&one,sizeof(one));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(9998);
serv_addr.sin_addr.s_addr = inet_addr("10.10.12.1");
if(connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr))<0)
{
printf("\n Error : Connect Failed \n");
return 1;
}
while(1)
{
write(sockfd, send_buff, 1448) ;
}
In wireshark initial 15 to 30 packets are showing that 1514 byte of packet is going but afterwards showing as below
wireshark output of some packet
No. Time Source Destination Protocol Length Info
16 0.000000 10.10.12.2 10.10.12.1 TCP 5858 53649 > distinct32 [ACK] Seq=3086892290 Ack=250285353 Win=14608 Len=5792 TSval=23114307 TSecr=23833274
Frame 16: 5858 bytes on wire (46864 bits), 5858 bytes captured (46864 bits)
Ethernet II, Src: 6c:3b:e5:14:9a:a2 (6c:3b:e5:14:9a:a2), Dst: Ibm_b5:86:85 (00:1a:64:b5:86:85)
Internet Protocol Version 4, Src: 10.10.12.2 (10.10.12.2), Dst: 10.10.12.1 (10.10.12.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 5844
Identification: 0x8480 (33920)
Flags: 0x00
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0xb38d [correct]
Source: 10.10.12.2 (10.10.12.2)
Destination: 10.10.12.1 (10.10.12.1)
Transmission Control Protocol, Src Port: 53649 (53649), Dst Port: distinct32 (9998), Seq: 3086892290, Ack: 250285353, Len: 5792
Source port: 53649 (53649)
Destination port: distinct32 (9998)
[Stream index: 0]
Sequence number: 3086892290
[Next sequence number: 3086898082]
Acknowledgement number: 250285353
Header length: 32 bytes
Flags: 0x010 (ACK)
Window size value: 913
[Calculated window size: 14608]
[Window size scaling factor: 16]
Checksum: 0x42dd [validation disabled]
Options: (12 bytes)
No-Operation (NOP)
No-Operation (NOP)
Timestamps: TSval 23114307, TSecr 23833274
Data (5792 bytes)
On wireshark it is showing that more than 5792, 7000, 65535 byte of packet are going.
But i am sending 1514 byte of packet in one go. on other side i am receiving 1514 byte of packets only due to network mtu.
So my question is
why this much of huge packets are going ?
I tried without NODELAY option also but it is not working.
Is there any solution to send particular packet size (such as 1514 byte) can be send, no jumbo frames ?
I update my tcp_rmem and tcp_wmem also for tcp sending buffer and receiving buffer also. But did not found any solution.
TCP, by design, bundles up multiple write() calls into larger packets. Also, TCP coalesces packets by default according to Nagle's Algorithm.
If you want more control over the actual size of network packets, use UDP.
These are "jumbo frames", and they're faster than traditional frame sizes because they don't load up a CPU as much.
Consider yourself fortunate that you're getting them without futzing around with your IP stack's settings.
I searched a lot and found that, we need to change some parameter on interface.
On my interface eth0 default option are
Offload parameters for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: off
now using ethtool we need to off some sending side segementation offload.
For that
sudo ethtool -K eth0 tso off gso off
using this
Offload parameters for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: on
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: off
After this your interface will send packets whatever you want to send.

raw socket send two packets on a virtual Network

I've a problem with my sendto function in my code, when I try to send a raw ethernet packet.
I use a Ubuntu 12.04.01 LTS, with two tap devices connected over two vde_switches and a dpipe
Example:
my send programm create the packet like below, the programm is binded by the socket from tap0 and send the packet to tap1. On tap1 one receiver wait for all packets on socket.
My raw ethernet packet looks so:
destination Addr ____source Addr _________ type/length ___data
00:00:01:00:00:00___00:00:01:00:00:01____ length in Byte__some data
Example packet to send:
00:00:01:00:00:00 00:00:01:00:00:01 (length in byte) (Message)test
but my programm generate two packets, when I look in wireshark:
first packet is an IPX packet and [Malformed Packet] and looks like in hex (data = test)
00 04 00 01 00 06 00 00 01 00 00 01 00 00 00 01 74 65 73 74 00
Linux cooked capture
Packet type: sent by us (4)
Link-layer address type: 1
Link-layer address length: 6
Source: 00:00:01:00:00:01
Protocol: Raw 802.3 (0x0001)
[Malformed Packet: IPX]
second packet unknown protocol
00 00 00 01 00 06 00 00 01 00 00 01 00 00 31 00 74 65 73 74 00
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 1
Link-layer address length: 6
Source: 00:00:01:00:00:01
Protocol: Unknown (0x3100)
Data
Data: 7465737400
[Length: 5]
outcut from my source code
sock_desc = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
/*struct for sending*/
sock_addr.sll_family = AF_PACKET;
sock_addr.sll_protocol = htons(ETH_P_802_3);
sock_addr.sll_ifindex = if_nametoindex(argv[1]);
sock_addr.sll_hatype = ARPHRD_ETHER; //Ethernet 10Mbps
sock_addr.sll_pkttype = PACKET_HOST; // Paket zu irgendjemand
sock_addr.sll_halen = ETH_ALEN; //6 Oktets in einer ethernet addr
/*MAC Length 8 Oktets*/
sock_addr.sll_addr[0] = frame.src_mac[0];
sock_addr.sll_addr[1] = frame.src_mac[1];
sock_addr.sll_addr[2] = frame.src_mac[2];
sock_addr.sll_addr[3] = frame.src_mac[3];
sock_addr.sll_addr[4] = frame.src_mac[4];
sock_addr.sll_addr[5] = frame.src_mac[5];
/*not in use*/
sock_addr.sll_addr[6] = 0x00;
sock_addr.sll_addr[7] = 0x00;
memset(buffer, '0', sizeof(char)*ETH_FRAME_LEN);
/*set the frame header*/
/*build RAW Ethernet packet*/
buffer[0] = frame.dest_mac[0];
buffer[1] = frame.dest_mac[1];
buffer[2] = frame.dest_mac[2];
buffer[3] = frame.dest_mac[3];
buffer[4] = frame.dest_mac[4];
buffer[5] = frame.dest_mac[5];
buffer[6] = frame.src_mac[0];
buffer[7] = frame.src_mac[1];
buffer[8] = frame.src_mac[2];
buffer[9] = frame.src_mac[3];
buffer[10] = frame.src_mac[4];
buffer[11] = frame.src_mac[5];
while(frame.data[0] != '*'){
printf("Input: ");
scanf("%s", frame.data);
tempLength = 0;
while(frame.data[tempLength] != '\0'){
tempLength++;
}
input = 0;
for(sendLen = 14;sendLen <= (14+tempLength);sendLen++){
buffer[sendLen] = frame.data[input];
input++;
}
sprintf(convLen,"%x", (14 + input));
buffer[12] = convLen[0];
buffer[13] = convLen[1];
length_in_byte = sendto(sock_desc, buffer, 14+input,0,(struct sockaddr*) &sock_addr,sizeof(struct sockaddr_ll));
if(length_in_byte <= 0){
printf("Error beim Senden");
}else{
printf("\n");
printf("src: %02x:%02x:%02x:%02x:%02x:%02x\t->\tdest: %02x:%02x:%02x:%02x:%02x:%02x\n",frame.src_mac[0],frame.src_mac[1],frame.src_mac[2],frame.src_mac[3],frame.src_mac[4],frame.src_mac[5],frame.dest_mac[0],frame.dest_mac[1],frame.dest_mac[2],frame.dest_mac[3],frame.dest_mac[4],frame.dest_mac[5]);
printf("Data: %s\n", frame.data);
}
}
please i need some help to find my mistake.
Thank you forward.
Please give us the lines dealing with the socket creation operation.
I assume you have created your socket like that :
int socket = socket(AF_PACKET,SOCK_RAW,IPPROTO_IP)
You are right when you build the ethernet header (by the way you should use instead struct ethhdr, it's cleaner).
After that you send your data, without putting L4 header and L3 header.... It's normal that your code doesn't work.
I assume you now the OSI Model.
If it's not the case read the paper before reading the next text.
So when you want to create a RAW packet, you have many things to do before.
For example if you want to use TCP/IP protocol you will have to do the next operation
#include <unistd.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#DEFINE SIZEMAX 1000
int main() {
char buffer[65535] // MDU
// CREATE YOUR SOCKET
int socket = socket(AF_PACKET,SOCK_RAW,IPPROTO_RAW) ;
// You can also specify some opt to your socket but I let you done your own stuffs
struct ethhdr * ethdr ;
struct iphdr * iph ;
struct tcphdr * tcph;
// Fill all the fields of these last structures (i can't do it for you too long).
// Fill the buffer
memcpy(buffer,ethdr,sizeof(struct ethhdr)) ;
// Deplace it to the good addr
buffer = buffer + sizeof(struct ethhdr) ;
memcpy(buffer,iph,sizeof(struct iphdr)) ;
buffer = buffer + sizeof(struct iphdr)) ;
memcpy(buffer,tcph,sizeof(struct tcphdr)) ;
printf("your entry : \n") ;
char * entry = malloc(SIZEMAX) ;
sncanf("%s",entry,100) ;
buffer = buffer+ 100 ;
memcpy(buffer,entry,100) ;
int size_send = sendto(socket,.......) ;
if(size_send =< 0)
perror("error sending data") ;
return 0 ;
}
This is pseudo-code but it tell you how to send raw packet.
This paper will do the work for you :
RAW Socket TCP/IP
Hope it will help you
Anthony
I think your code is missing the ethernet "packet type ID field". See struct ethhdr in if_ether.h. Now you put convLen where the proto should be. It probably matches the proto number of IPX. Try setting it to something (eg ETH_P_IP) or test what happens when you set it to zero.
I understand you want to make your own protocol and are using the field after the ethernet addresses for the length. However I do suggest you keep at least the ethernet level header standards compliant and build your own on top of that (in the ethernet frame payload). Otherwise youll get problems with tools(like wireshark) and device drivers that try to parse the ethernet headers.
As to why you send two packets, I think the reason lies in the way you scanf input from the user. The while loop is peculiar. I suggest trying to send some data with a fixed input, eg char msg[] = "Test";
Sorry if the answer is vague. It is difficult to help you, since your code is not complete and I can not test it.
OK I see why my receiver receiv two packets. The first packet ist the send by us packet and the second is the Unicast to us. The problem I don't need the first packet to receive. I have test my code and have one capture with the two packets as example.
First frame in hex code from Wireshark:
0004 0001 0006 0000010000020000 0060 the message
Second frame:
0000 0001 0006 0000010000020000 1234 the message
This is Linux cooked capture an means:
2 Bytes packet typ // 0 = To us; 1 = Broadcast; 2 = Multicast; 3 = from somebody to somebody; 4 = sent by us
2 Bytes LINUX ARPHDR_ value
2 Bytes Link layer addr. lenght
8 Bytes source address
2 Bytes Ethernet protocol //e.g. 1 Novell 802.3 without 802.2 header; 4 frames with 802.2 header
My questions:
First is it possible to filter or ignore the first packet?
Second why contains the first packet the protocol typ from the send structur and the second packet the protocol typ from buffer?
Example:
For the first packet
sock_addr.sll_family = AF_PACKET;
sock_addr.sll_protocol = htons(0x0060);
sock_addr.sll_ifindex = 3;
sock_addr.sll_hatype = ARPHRD_ETHER;
sock_addr.sll_pkttype = PACKET_HOST;
sock_addr.sll_halen = ETH_ALEN;
/*MAC Length 8 Oktets*/
sock_addr.sll_addr[0] = 0x00;
sock_addr.sll_addr[1] = 0x00;
sock_addr.sll_addr[2] = 0x01
sock_addr.sll_addr[3] = 0x00;
sock_addr.sll_addr[4] = 0x00;
sock_addr.sll_addr[5] = 0x02;
/*not in use*/
sock_addr.sll_addr[6] = 0x00;
sock_addr.sll_addr[7] = 0x00;
for second packet the buffer like 802.3 frame
buffer[0-5] = 0x00 0x00 0x01 0x00 0x00 0x03 // Destination address
buffer[6-11] = 0x00 0x00 0x01 0x00 0x00 0x02 // Source address
buffer[12-13] = 0x12 0x34 // Protocol dummy typ
My receiver can capture the first packet without a connection between two vde_switches and when I connect the switches with dpipe and vde_plug can I capture the second packet too.

Unmarshalling ethernet frames and data alignment [closed]

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
So I'm trying to unmarshall ethernet frames eth and ip headers. I have a program skeleton that reads input data from file and serves me a struct with the frame data.
I have googled and read other posts on the topic but i'm getting nowhere. For example:
Data Alignment with network programming
http://en.wikipedia.org/wiki/Data_structure_alignment
I not sure what the problem is. Obviously im new to C.
If I just try using memcpy and copy data into my structs of eth and ip headers most of the data comes out nice, but not the ip adresses in my ip struct. I also tried reading from the input struct in 1byte, 2byte and 4byte chunks but it doesn't give me correct data.
Here is an example of input data frame from the input file:
200 0000 0002 0200 0000 0012 0800 4500 0026 17d4 81e7 ff01 0000 0a02 0002 0c0c 0c0c 0000 e802 c04b 0004 3e89 3325 0006 ddef 0809
Here is the header structs im using
struct ethhdr{
char da[6];
char sa[6];
uint16_t pt;
};
typedef struct ethhdr ethhdr;
struct iphdr{
#ifdef WORDS_BIGENDIAN
unsigned int ip_v:4; /* version */
unsigned int ip_hl:4; /* header length */
#else
unsigned int ip_hl:4; /* header length */
unsigned int ip_v:4; /* version */
#endif
uint8_t ip_tos; /* type of service */
uint16_t ip_len; /* total length */
uint16_t ip_id; /* identification */
uint16_t ip_off; /* fragment offset field */
uint8_t ip_ttl; /* time to live */
uint8_t ip_p; /* protocol */
uint16_t ip_sum; /* checksum */
uint32_t ip_src, ip_dst; /* source and dest address */
};
typedef struct iphdr iphdr;
The input data struct that im being served.
struct fe_context{
char *pkt; /* Pointer to packet */
size_t len; /* Length of packet */
void *if_in; /* Incoming interface - handle */
};
typedef struct fe_context fe_context;
Sample code of how I've tied to read the data.
int fe_process(fe_context *c)
{
printf("\n\nPacket received!\n");
printf("memcpy to header structs:\n");
ethhdr * ethh = (ethhdr *) malloc(sizeof(ethhdr));
iphdr * iph = (iphdr *) malloc(sizeof(iphdr));
memcpy(ethh, c->pkt, sizeof(ethhdr));
memcpy(iph, c->pkt+sizeof(ethhdr), sizeof(ethhdr));
printf("MAC SA: %02x:%02x:%02x:%02x:%02x:%02x\n", ethh->sa[0], ethh->sa[1], ethh->sa[2],
ethh->sa[3], ethh->sa[4], ethh->sa[5]);
printf("MAC P: %04x\n", ntohs(ethh->pt));
printf("IP Ver: %x\n", ntohl(iph->ip_v));
printf("IP IHL: %x\n", ntohl(iph->ip_hl));
printf("IP TTL: %i\n", iph->ip_ttl);
printf("IP Checksum: %x\n", ntohl(iph->ip_sum));
printf("IP SRC: %08x\n", ntohl(iph->ip_src));
printf("IP DST: %08x\n", ntohl(iph->ip_dst));
char * cp = c->pkt;
printf("\nPacket read by char:\n");
char data;
int p;
for(p = 0; p < 52; p++) {
data = *cp;
cp++;
printf("%02x", data);
if(p%2==1) {
printf(" ");
}
}
printf("\n\n");
cp = c->pkt;
printf("Packet read by uint16_t:\n");
uint16_t data16;
for(p = 0; p < 52/2; p++) {
data16 = *cp;
cp+=2;
printf("%04x ", ntohs(data16));
}
printf("\n\n");
cp = c->pkt;
printf("Packet read by uint32_t:\n");
uint32_t data32;
for(p = 0; p < 52/4; p++) {
data32 = *cp;
cp+=4;
printf("%08x ", ntohl(data32));
}
printf("\n\n");
return 0;
}
And here is its output with the above test data input.
Packet received!
memcpy to header structs:
MAC SA: 02:00:00:00:00:12
MAC P: 0800
IP Ver: 4000000
IP IHL: 5000000
IP TTL: 255
IP Checksum: 0
IP SRC: 0a020000
IP DST: 00000000 // It looks good up until here. this should be 0c0c0c0c
Packet read by char:
0200 0000 0002 0200 0000 0012 0800 4500 0026 17ffffffd4 ffffff81ffffffe7 ffffffff01 0000 0a02 0002 0c0c 0c0c 0000 ffffffe802 ffffffc04b 0004 3effffff89 3325 0006 ffffffddffffffef 0809
Packet read by uint16_t:
0200 0000 0000 0200 0000 0000 0800 4500 0000 1700 81ff ffff 0000 0a00 0000 0c00 0c00 0000 e8ff c0ff 0000 3e00 3300 0000 ddff 0800
Packet read by uint32_t:
02000000 00000000 00000000 08000000 00000000 81ffffff 00000000 00000000 0c000000 e8ffffff 00000000 33000000 ddffffff
As you can see the data in the structs is fine all the way until the DST IP. Could this be because of padding/data alignment? It would appear, by looking at the char read, that the problem somehow happens in the ip header part of the data? When I read by char, where does these 'f's come from?
I tried checking the c->pkt pointer adress and its even. I'm not even sure if that matters though? Im thinking that it will always be since malloc got that for me. Whats the right way of reading this data for for parsing/unmarshalling? I am going to be doing alterations to this data so I would prefer to get the data into neat structs.
Do I have a simple error in my code or am I going about it the wrong way? Any help is much appreciated!
I noticed you made an error on the line:
memcpy(iph, c->pkt+sizeof(ethhdr), sizeof(ethhdr));
You're copying sizeof(ethhdr) bytes for your IP header instead of sizeof(iphdr) which is what you want here. Seems like you made a typo.

Resources