On Oct 21, 2009, at 5:57 PM, Rayne wrote:
So am I right to say that if I were to capture a packet, that packet
should only consist of the 16-byte packet header and the L2-L7
content.
If you were to capture a packet, that packet would consist of whatever
data the packet capture mechanism supplied to you, including any
pseudo-headers such as a header giving radio information for 802.11
packets. For example, if it's an 802.11 packet, the "packet header"
would include the variable-length 802.11 header, and would have a
radio header before it if that happened to be what the driver and
capture mechanism supplied, and if it's an Ethernet packet, it would
consist of the *12*-byte packet header, possibly followed by an 802.2
header, possibly followed by a SNAP header if there's an 802.2 header,
followed by the payload.
But if I were to write that packet to a file of the libpcap format,
then the 24-byte "header" will be prepended to the file?
If you were to write one or more packets to a pcap file, the first 24
bytes of the file will be the pcap file header, followed by the
records for the packets; each record would consist of a 16-byte per-
packet header, followed by the packet data.
The 16-byte record header is *NOT* part of the packet. If you were to
capture a packet with libpcap/WinPcap, using pcap_dispatch() or
pcap_loop(), a pointer to the 16-byte per-packet header for the packet
will be supplied to you as a separate item from the pointer to the raw
packet data; you will not get passed a pointer to a single chunk of
data starting with the 16-byte per-packet header with the packet data
immediately following it.
That's also true if you were to read an existing capture file with
libpcap/WinPcap, using pcap_dispatch() or pcap_loop().
What is it you are trying to do here?
Read a pcap-format file? If so, you should probably consider using
libpcap/WinPcap to read the file.
Write a pcap-format file? If so, you should probably still consider
using libpcap/WinPcap (pcap_dump_open(), pcap_dump(),
pcap_dump_close()).
