display the contents of the packet in c

Question

i am capturing packets in the network, and printing the packet values i have defined structures for ethernet ip and tcp, i am first printing the entire packet then but while printing the packet data according to the structure it skips the first 4 bytes of packet and prints the next as 6 bytes as destination address ans so on, why is it skipping the first 4 bytes ? due to this i get wrong results

    void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
    {
        int i,a[4],mul_value;
        struct classifier *ptr_fltr;

        ptr_fltr = (struct classifier*)(packet);

        int PacketLength = header->len;
        for(i = 0; i < PacketLength; i++)
        printf("%3X", packet[i]);

        printf("destination host");
        for(i = 0; i < 6; i++)
        printf("%3x",ptr_fltr->pktFltr.mac.ether_dhost[i]);
        printf("\n");

        printf("source host");
        for(i = 0; i < 6; i++)
        printf("%3x",ptr_fltr->pktFltr.mac.ether_shost[i]);

    .
    .
    .
    .
    }

these are the structures

        struct packet_filter
    {
        struct mac_filter mac;
        struct ip_filter ip;
        union {
            struct udp_filter proto;
        }protocol;
    }__attribute__((packed));


    struct mac_filter
    {
        u_char ether_dhost[ETHER_ADDR_LEN];
        u_char ether_shost[ETHER_ADDR_LEN];
        u_short ether_type;
    }__attribute__ ((packed));

    struct ip_filter
    {
        u_char ip_vhl;
        u_char ip_tos; /* type of service */
        u_short ip_len; /* total length */
        u_short ip_id; /* identification */
        u_short ip_off; /* fragment offset field */
        u_char ip_ttl; /* time to live */
        u_char ip_p; /* protocol */
        u_short ip_sum; /* checksum */
        struct in_addr ip_src; /* source and dest address */
        struct in_addr ip_dst; /* source and dest address */
    }__attribute__((packed));

struct node
    {
        int n; 
        struct classifier keys[M-1]; /*array of keys*/
        struct node *p[M]; 
    }__attribute__((packed));

output

    i have put some part of the o/p
    0 14 85 A5 1B  1  0 19 D1 A3  7 25  8  0 45 10  1 54 A6 CA 40  0 40  6 2D CC AC 1C  6 6E AC 1C  6 57  0 16 91 57 EA AB
    destination host 1b  1  0 19 d1 a3
    source host  7 25  8  0 45 10

but the destination host should be 0 14 85 A5 1B 1

Without code, nobody can help you; Stack Overflow can't read minds. — Delan Azabani, Mar 03 '11 at 07:33
@ Delan Azaban and @Fox32 this is the code.... and i have defined structure for ethernet header ip header and tcp header. — asir, Mar 03 '11 at 07:40
@Asir: you're *still* missing the all-important `struct classifier` — Tony Delroy, Mar 03 '11 at 08:00
The union with one member in `struct packet_filter` is a bit odd. — Jonathan Leffler, Mar 20 '11 at 10:33

score 1 · Answer 1 · edited Jul 13 '20 at 23:58

Instead of using a custom structure, just cast the pointer to the buffer containing the packet to the structure of the packet type and work down from there. IIRC libpcap emits Ethernet packets, so the following code should print the Ethernet packet type, the destination and source MAC addresses and the payload in hexadecimal:

void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) {
    struct mac_filter *p = (struct mac_filter *) packet;
    const unsigned int data_len = (header->len - sizeof *p);
    const u_char *data = (packet + sizeof *p);
    int i = 0;

    printf("Type: %04hx\n", p->ether_type);

    printf(
        "Destination: %02X:%02X:%02X:%02X:%02X:%02X\n",
        p->ether_dhost[0], p->ether_dhost[1], p->ether_dhost[2],
        p->ether_dhost[3], p->ether_dhost[4], p->ether_dhost[5]
    );

    printf(
        "Sender:      %02X:%02X:%02X:%02X:%02X:%02X\n",
        p->ether_shost[0], p->ether_shost[1], p->ether_shost[2],
        p->ether_shost[3], p->ether_shost[4], p->ether_shost[5]
    );

    for (i = 0; i < data_len; i++) {
        printf("  %02x", data[i] & 0xff);
    }        
    printf("\n");
}

*just cast the pointer to the buffer containing the packet to the structure of the packet type* A few years late, but that is a [strict aliasing violation](https://stackoverflow.com/questions/98650/what-is-the-strict-aliasing-rule) and undefined behavior. Doing that also risks violating [**6.3.2.3 Pointers**, p7](https://port70.net/~nsz/c/c11/n1570.html#6.3.2.3p7) of the C 11 standard: "A pointer to an object type may be converted to a pointer to a different object type. If the resulting pointer is not correctly aligned for the referenced type, the behavior is undefined. ..." — Andrew Henle, Jul 14 '20 at 00:22

display the contents of the packet in c

1 Answers1