#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2004
    Posts
    34
    Rep Power
    11

    Unhappy Pcap Programming - how to extract payload


    Basically , here is what I want to do .. I want to extract the payload , for each bytes and convert it to ASCII, and count the number.

    Ok .. Having read the tutorial in www.tcpdump.org
    http://www.tcpdump.org/pcap.htm

    it clears that payload is after IP_header + Ethernet_header + TCP_header ..
    my question is
    1. is it possible do correctly detect the length of payload? by strlen(payload)?
    2. For some reason, when I convert each byte into ascII , I am getting "negative value" what does it mean ? It's suppose value for each bytes is within range 0-255 ... ASCII right?

    any help .. would be .. aprreciate..
    also , maybe some tutorial links to look upp... also gooddd
    :)
    thanks many thanks
    :confused:
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    May 2004
    Location
    Adelaide, Australia
    Posts
    880
    Rep Power
    11
    1. I would think that the payload is everything after the headers - if you have the packet size (from pcap_pkthdr), just subtract off the size of the headers. strlen won't work as the payload may contain null bytes, and almost certainly won't be null terminated

    2. You should be using "unsigned char" as the type when converting to ascii.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2004
    Posts
    34
    Rep Power
    11
    Originally Posted by The Dark
    1. I would think that the payload is everything after the headers - if you have the packet size (from pcap_pkthdr), just subtract off the size of the headers. strlen won't work as the payload may contain null bytes, and almost certainly won't be null terminated

    2. You should be using "unsigned char" as the type when converting to ascii.
    is it all the header ? including IP header + TCP_header + Ethernet_header?
    or just the IP header?
    thanks
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    May 2004
    Location
    Adelaide, Australia
    Posts
    880
    Rep Power
    11
    On the page you mentioned it has the code:
    Code:
    payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);
    This shows that the payload is after all of the headers, at least in the packet structure given.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2004
    Posts
    34
    Rep Power
    11
    Originally Posted by The Dark
    On the page you mentioned it has the code:
    Code:
    payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);
    This shows that the payload is after all of the headers, at least in the packet structure given.
    oh ok.. if i can know what is packet? .. I saw in the heading it's u_char packet ... but still kind not sure what it is sorry new learner ..
    currently to run my program
    i use something like this
    cat tcpdump.data | ./sniffer
    however, let said if i want to analyze 2 file , how to do it?
    say tcpdump2.data
    without running 2 times?
    i tried cat tcpdump.data tcpdump2.data | ./sniffer
    it's doesn't work ..
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    May 2004
    Location
    Adelaide, Australia
    Posts
    880
    Rep Power
    11
    packet is a uchar * returned from the pcap function you used to get the packet, without seeing your code, I don't know which function you are using. Note: I have never used pcap, so I am just guessing.

    To run your program over multiple files, you could change it to read the command line arguments and open the files that are named on the command line.

IMN logo majestic logo threadwatch logo seochat tools logo