6bd1ba60   
   From: dtiktin@nospam.invalid   
      
   On 27 Apr 2009, "lancer6238@yahoo.com"  wrote:   
      
   > I am trying to decode ICMP packets, but have trouble parsing in   
   > the various fields. I'm using RedHat Enterprise Linux 5. I'm   
   > reading from a pcap file that has 8 ping requests and 8 ping   
   > replies.   
   >   
   > Here is (relevant) part of my code:   
   >   
   > #define SIZE_ETHERNET 14   
   > #define SIZE_IP_HDR 20  // I am sure there are no IP options   
   >   
   > #include    
   >   
   > void process_packet(u_char *user, const struct pcap_pkthdr   
   > *header, const u_char *packet)   
   > {   
   >    struct ip *ip;   
   >    struct icmp *icmp;   
   >   
   >    ip = (struct ip *)(packet + SIZE_ETHERNET);   
   >    if (ip->ip_p == IPPROTO_ICMP)   
   >    {   
   >       icmp = (struct icmp*) (ip + SIZE_IP_HDR);   
      
   The start of the ICMP header is SIZE_IP_HDR bytes past the start of   
   the IP header, but this line doesn't set icmp to that place.  It sets   
   it to SIZE_IP_HDR * sizeof(struct ip) bytes beyond ip.  The place you   
   want is at:   
      
           packet + SIZE_IP_HDR + SIZE_ETHERNET   
      
   so you could just use:   
      
           icmp = (struct icmp*) (packet + SIZE_IP_HDR + SIZE_ETHERNET);   
      
   or   
      
           icmp = (struct icmp*) (ip + 1);   
      
   to step past *1* ip header.   
      
   >       printf("%x %d\n", icmp[0], icmp->icmp_type);   
   >    }   
   > }   
      
   Dave   
      
   --   
   D.a.v.i.d  T.i.k.t.i.n   
   t.i.k.t.i.n [at] a.d.v.a.n.c.e.d.r.e.l.a.y [dot] c.o.m   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)