Solved

Payload from pcap (Linux c)

Posted on 2010-08-27
13
1,278 Views
Last Modified: 2012-05-10
Hi guys,

I've followed the examples from this site:

http://www.systhread.net/texts/200805lpcap1.php

Near the end he has the line:

        fprintf(stdout,"%s", payload);


This raises a compile error because payload isn't defined. The thing is, I need to get the payload. I've looked at some of the other examples, but I'm not sure how they got to the payload because the example apps are pretty different.

What I'm looking for is a line of code I can put before that fprintf statement that will contain the payload (that is just the data) from the packet.

Thanks in advance!
0
Comment
Question by:PMembrey
  • 7
  • 6
13 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 33540437
Try this :
char* payload = (char*) (packet + sizeof(struct ether_header) + sizeof(struct nread_ip) + sizeof(struct nread_tcp));

Open in new window

0
 
LVL 53

Expert Comment

by:Infinity08
ID: 33540445
For pcap programming, have a look at :

        http://www.tcpdump.org/pcap.htm
0
 

Author Comment

by:PMembrey
ID: 33540452
Tried that but it's from a different example and even when I tried building it in a separate app I didn't have much luck.

So what I'm looking for is someone to give me the code that works in the example provided on the site in my first message :-)
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 33540474
well, see my first post :) That contains a line of code that should do what you want.

Maybe the code snippet didn't come through correctly ? I'll re-prost the code :

        char* payload = (char*) (packet + sizeof(struct ether_header) + sizeof(struct nread_ip) + sizeof(struct nread_tcp));
0
 

Author Comment

by:PMembrey
ID: 33540477
If you look at the example on the page you will see that none of those variables that you are doing sizeof() on exist :)
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 33540994
They're not variables, but types, and they are the same types that are used earlier in that code, in a similar way - eg. :

        ip = (struct nread_ip*)(packet + sizeof(struct ether_header));
        tcp = (struct nread_tcp*)(packet + sizeof(struct ether_header) + sizeof(struct nread_ip));


Those types are defined in pkt.h, listed here :

        http://www.systhread.net/texts/200901pcap3.php
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:PMembrey
ID: 33543366
hmm, the code still doesn't compile though - but I won't be able to try it again until Monday. Therefore I'd request that no one else posts a response as if I can get it working with infinity08's suggestions, s/he will get all the points.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 33543554
>> the code still doesn't compile though

If you want, you can just post the code you're using here, and I'll have a look at it.
0
 

Author Comment

by:PMembrey
ID: 33555423
Okay,

I've put that line of code in and it compiles perfectly - not sure what I was doing wrong before....

But now I have a new but related question which is how do I now use 'payload'. Say I want to dump the raw packet data to a file, could you provide a really simple example as to how I can do that?
0
 

Author Comment

by:PMembrey
ID: 33555470
Also whatever I try, be it strlen or sizeof, it never seems to have much in the way of data in the payload - even though I know it's a large packet....
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 33556089
>> But now I have a new but related question which is how do I now use 'payload'.

Please click the "Ask a Related Question" button, and ask a new question for this. To keep things tidy and easy to manage, different questions have to be kept separate :)


>> Also whatever I try, be it strlen or sizeof, it never seems to have much in the way of data in the payload - even though I know it's a large packet....

Don't use strlen, unless you know the payload is a string that is terminated by a '\0' character (which is rarely the case).
Don't use sizeof ever - it'll return the size of the pointer, not the data it points to.

In the code you're using, the size of the payload is :

        size_t payload_size = len - sizeof(struct nread_ip) - sizeof(struct nread_tcp);
0
 

Author Comment

by:PMembrey
ID: 33556143
That would be dynamic? The payload size will vary I would have thought...
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 33556204
>> That would be dynamic?

If you look at the code, you will see that the 'len' variable was obtained from the IP header. And specifically from the 'total length' field in the IP header. That field specifies the total length of the IP datagram for that specific packet.
To get the length of the payload, all you need to do, is subtract the length of the IP and TCP headers.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Summary: This tutorial covers some basics of pointer, pointer arithmetic and function pointer. What is a pointer: A pointer is a variable which holds an address. This address might be address of another variable/address of devices/address of fu…
This is a short and sweet, but (hopefully) to the point article. There seems to be some fundamental misunderstanding about the function prototype for the "main" function in C and C++, more specifically what type this function should return. I see so…
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use while-loops in the C programming language.
The goal of this video is to provide viewers with basic examples to understand and use conditional statements in the C programming language.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now