我目前正在将数据包分解为多个标头。
这是我目前的代码:
void analyse(struct pcap_pkthdr *header, const unsigned char *packet, int verbose) {
// Define headers and payload
const struct ether_header *ethernet = NULL;
const struct ether_arp *arp = NULL;
const struct ip *ip = NULL;
const struct tcphdr *tcp = NULL;
const char *payload = NULL;
/* Ethernet header is the first data block of packet **/
ethernet = ( struct ether_header* ) packet;
// ARP packet following
if( ntohs( ethernet->ether_type ) == ETHERTYPE_ARP ) {
arp = ( struct ether_arp* ) ( packet + ETH_HLEN );
// If the operation performed by the sender is a reply, we increment the ARP Response Counter
if( ntohs(arp->ea_hdr.ar_op ) == 2 ) {
arpResponsesCounter++;
}
} else { // IP packet following
ip = ( struct ip* ) ( packet + ETH_HLEN );
}
// ARP header and IP header don't have the same size
if( arp == NULL ) {
u_int shift_size = (ip->ip_hl)*4;
} else {
}
}
根据http://unix.superglobalmegacorp.com/BSD4.4/newsrc/netinet/ip.h.html和http://unix.superglobalmegacorp.com/Net2/newsrc/netinet/if_ether.h.html,IP标头的大小由(ip->ip_hl)*4;
给出,但我无法弄清楚如何获取ARP标头的大小。
我需要它来正确定义TCP标头指针。
由于
答案 0 :(得分:0)
我觉得你很困惑。 ARP数据包是 ARP标头。 ARP本身就是一种协议,它不像IP那样在其数据包中包含其他协议作为有效载荷。它恰好是ICMP是网络层协议的方式的链路层协议。两者都是顶层协议,都没有其他协议。
如果您知道网络的第2层和第3层地址的大小(以太网为48位,IPv4为32位),则可以确定网络上ARP数据包的大小。
Hardware Type is two octets
Protocol Type is two octets
Hardware Address Length is one octet
Protocol Address Length is one octet
Operation is two octets
Sender Hardware Address is Hardware Address Length octets
Sender Protocol Address is Protocol Address Length octets
Destination Hardware Address is Hardware Address Length octets
Destination Protocol Address is Protocol Address Length octets
基本上,你有8个八位字节,加上硬件地址长度的两倍,再加上协议地址长度的两倍。
对于以太网上的IPv4,这意味着( 8 + ( 2 * 6 ) + ( 2 * 4 ) ) = 28
。