• C

Payload from pcap (Linux c)

Hi guys,

I've followed the examples from this site:


Near the end he has the line:

        fprintf(stdout,"%s", payload);

This raises a compile error because payload isn't defined. The thing is, I need to get the payload. I've looked at some of the other examples, but I'm not sure how they got to the payload because the example apps are pretty different.

What I'm looking for is a line of code I can put before that fprintf statement that will contain the payload (that is just the data) from the packet.

Thanks in advance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try this :
char* payload = (char*) (packet + sizeof(struct ether_header) + sizeof(struct nread_ip) + sizeof(struct nread_tcp));

Open in new window

For pcap programming, have a look at :

PMembreyAuthor Commented:
Tried that but it's from a different example and even when I tried building it in a separate app I didn't have much luck.

So what I'm looking for is someone to give me the code that works in the example provided on the site in my first message :-)
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

well, see my first post :) That contains a line of code that should do what you want.

Maybe the code snippet didn't come through correctly ? I'll re-prost the code :

        char* payload = (char*) (packet + sizeof(struct ether_header) + sizeof(struct nread_ip) + sizeof(struct nread_tcp));

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PMembreyAuthor Commented:
If you look at the example on the page you will see that none of those variables that you are doing sizeof() on exist :)
They're not variables, but types, and they are the same types that are used earlier in that code, in a similar way - eg. :

        ip = (struct nread_ip*)(packet + sizeof(struct ether_header));
        tcp = (struct nread_tcp*)(packet + sizeof(struct ether_header) + sizeof(struct nread_ip));

Those types are defined in pkt.h, listed here :

PMembreyAuthor Commented:
hmm, the code still doesn't compile though - but I won't be able to try it again until Monday. Therefore I'd request that no one else posts a response as if I can get it working with infinity08's suggestions, s/he will get all the points.
>> the code still doesn't compile though

If you want, you can just post the code you're using here, and I'll have a look at it.
PMembreyAuthor Commented:

I've put that line of code in and it compiles perfectly - not sure what I was doing wrong before....

But now I have a new but related question which is how do I now use 'payload'. Say I want to dump the raw packet data to a file, could you provide a really simple example as to how I can do that?
PMembreyAuthor Commented:
Also whatever I try, be it strlen or sizeof, it never seems to have much in the way of data in the payload - even though I know it's a large packet....
>> But now I have a new but related question which is how do I now use 'payload'.

Please click the "Ask a Related Question" button, and ask a new question for this. To keep things tidy and easy to manage, different questions have to be kept separate :)

>> Also whatever I try, be it strlen or sizeof, it never seems to have much in the way of data in the payload - even though I know it's a large packet....

Don't use strlen, unless you know the payload is a string that is terminated by a '\0' character (which is rarely the case).
Don't use sizeof ever - it'll return the size of the pointer, not the data it points to.

In the code you're using, the size of the payload is :

        size_t payload_size = len - sizeof(struct nread_ip) - sizeof(struct nread_tcp);
PMembreyAuthor Commented:
That would be dynamic? The payload size will vary I would have thought...
>> That would be dynamic?

If you look at the code, you will see that the 'len' variable was obtained from the IP header. And specifically from the 'total length' field in the IP header. That field specifies the total length of the IP datagram for that specific packet.
To get the length of the payload, all you need to do, is subtract the length of the IP and TCP headers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.