I am working on an assignment that has me parsing information from a pcap file in C using the libpcap library. I have had success in figuring out how to get data such as the source/dest ip addresses, tcp/udp ports, and source/dest ethernet addresses. Next on the list is to get stats from network and transport layer protocols seen and how many packets per protocol. I'm afraid I can't quite seem to figure out how to get access to this and am hoping someone might point me in the right direction. Since the other information has been gleaned from various data structures from within places like /usr/include/netinet.h this should be somewhere in there as well, but, again, I'm a bit lost.
2 Answers
2
votes
It seems like you already have the answers...IP is a network layer protocol, so if you can find the IP address you can count IP packets. Similarly, TCP and UDP are transport layer protocols. If you can find the TCP/UDP ports in the packets then you already know how many packets are using which protocols.
0
votes
In your callback function
/* define/compute ip header offset */
ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
size_ip = IP_HL(ip)*4;
if (size_ip < 20) {
printf(" * Invalid IP header length: %u bytes\n", size_ip);
return;
}
switch(ip->ip_p) {
case IPPROTO_TCP:
/* define/compute tcp header offset */
tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
size_tcp = TH_OFF(tcp)*4;
if (size_tcp < 20) {printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; }
bytes_tcp+=ntohs(ip->ip_len);
packets_tcp++;
break;
}
case IPPROTO_UDP:
bytes_udp+=ntohs(ip->ip_len);
packets_udp++;
break;
}
