On Dec 8, 2006, at 2:42 AM, david lopez wrote:
I'm David, a PhD student
I'm developing a small sniffer for my project. I'm using libpcap
It appears, from your program, that you're using WinPcap (the Windows
port of libpcap).
Are you doing this on Windows (in which case you're using WinPcap) or
on some other OS (in which case you're using libpcap)?
In either case, the right mailing list for this is probably tcpdump-workers@xxxxxxxxxxx
(even when using WinPcap, if you're not using any WinPcap-specific
features or having Windows-specific issues) or the WinPcap mailing
list (if you're using WinPcap-specific features or having Windows-
specific or WinPcap-specific issues).
I built a sniffer for capturing ethernet packets on the cable and it
is working fine.
Now, I would like to use this sniffer for capturing 802.11 WLAN
packets.
When I use this sniffer for capturing 802.11 WLAN packets on my
adapter, it looks ok, but when I try to get the MAC and IP
addresses, they are wrong.
I supposse that I should eliminate first the WLAN envelopment or
something like tath
I would like to know if you can give a clue or if you have some
example code.
Here you have my code:
...which assumes that the packets have Ethernet headers. That will
only be true if pcap_datalink() returns DLT_EN10MB; if it's not doing
that, your code won't work.
Note that on 802.11 interfaces you might still get packets with
Ethernet headers, because the 802.11 adapter, or its driver, might
turn the native 802.11 plus 802.2 plus SNAP headers on packets into
fake Ethernet headers. If that's the case, pcap_datalink() will
return DLT_EN10MB; if it's not the case, it'll return some other
value, such as DLT_IEEE802_11.
What does the line
printf("\nDatalink=%s\n\n", pcap_datalink_val_to_name(datalink));
print? If it doesn't print
Datalink=Ethernet
then your program won't work; you will have to modify it to check the
value of "datalink", and only treat the packet as beginning with an
Ethernet header if it's DLT_EN10MB, and have it do whatever is
appropriate for the *other* type of link-layer header for values other
than DLT_EN10MB. (Take a look at tcpdump to see what's involved with
that, and why, to handle the general case, a lot is involved; in
particular, note how many entries the "printers[]" table has.)
If you're running on Windows, it'll probably report
"Datalink=Ethernet" on 802.11 interfaces.