Hi
I am implementing a skinny sniffer using winpcap and I am experimenting problems while parsing packets. Some of them are just missed to my application. I am using wireshark to see what is really happening, and I cant understand it
This is part of my code (callback function called by winpcap):
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
ip_header *ih=NULL;
udp_header *uh=NULL;
tcp_header *th=NULL;
u_int ip_len;
u_short tcp_len;
char* sipP,*sipBody;
char* skinnyP;
std::string payload;
int longSIP;
map<string,callId_st*>::iterator it;
Logger* mainLog=0;
/* retireve the position of the ip header */
ih = (ip_header *) (pkt_data +
14); //length of ethernet header
/* retrieve the position of the udp header */
ip_len = (ih->ver_ihl & 0xf) * 4;
mainLog=Logger::GetLogger("main");
if (ih->proto==0x06)//tcp == 0x06
{
th = (tcp_header *) ((u_char*)ih + ip_len);
u_short sport=ntohs(th->sdPorts.sport);
u_short dport=ntohs(th->sdPorts.dport);
if (sport==2000||dport==2000)//0x7d0=2000
{
...
This function is run inside a thread as:
pcap_loop((pcap_t *)handle,0, packet_handler, NULL);
With this instruction: if (ih->proto==0x06)//tcp == 0x06 I would be able to see every TCP incoming packet anyway, many packets wireshark is able to capture, are left for me. Can anyone have an idea of what is happening?
Thanks in advance
María de Fátima Requena Cabot (2488)
+34 91 787 23 00 alhambra-eidos.es
