Pcap magic number on live capture

0
votes

Is it possible to catch a correct pcap header on live capture or is it only put in files? All documentation relates to files...

I've managed to extract the magic number with ease from .pcap files using libpcap in Linux with C and Jnetpcap in windows with Java acc. to [1][2]. However, when going through the header struct on live capture (through printf or debug) the field values seem messed up. E.g snaplen value ends up in timezone field and other values make no sense.

I'm using

int pcap_loop(pcap_t *p, int cnt, pcap_handler my_callback, u_char *user) 

void my_callback (u_char *args, const struct pcap_file_header *header,   const u_char *packet)

Pcap.h:

struct pcap_file_header { bpf_u_int32 magic; u_short version_major; u_short version_minor; bpf_int32 thiszone; /* gmt to local correction */ bpf_u_int32 sigfigs; /* accuracy of timestamps */ bpf_u_int32 snaplen; /* max length saved portion of each pkt */ bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */ };

[1] http://www.tcpdump.org/pcap/pcap.html [2] http://www.tcpdump.org/manpages/pcap-savefile.5.txt

1
cheader-filespcaplibpcap

1 Answers

1
votes

Savefiles have a file header, followed by packet records, each of which has a packet header. The file header includes a magic number and several other fields.

Live captures do not have a file header, and never will have a file header, so they do not have a magic number or any of the other fields from a file header.

If you want to know the snapshot length for a pcap_t, call pcap_snapshot(). If you are reading a savefile, it will return the snapshot length that libpcap read from the file header. If you have a live capture, it will return the snapshot length specified in a pcap_open_live() or pcap_set_snaplen() call or, if pcap_create() and pcap_activate() were used without a pcap_set_snaplen() call, the default snapshot length that was used.

The timezone value is not returned by libpcap; it is not set in most capture files.

void my_callback (u_char *args, const struct pcap_file_header *header,
                  const u_char *packet)

The pcap_loop() man page says:

   typedef void (*pcap_handler)(u_char *user, const struct pcap_pkthdr *h,
                               const u_char *bytes);

so the second argument to your callback should be const struct pcap_pkthdr *, NOT const struct pcap_file_header *. pcap_loop() will return a packet, not a file header; as I said, live captures do not have a file header.