I wrote a small application to try to display the protocol headers of captured packets. All my packets are captured with libpcap's pcap_loop. The way my program works is as follows: I wrote my own headers based of the structures defined in if_ether.h ip.h and tcp.h. pcap_loop sets a char pointer to the beginning of the packet, and I then step through the packet, casting to the appropriate structure each time, and incrementing the pointer by the size of the header. Now it's important to remember my question isn't code specific; my code works but there are logical flaws I dont undestand; Keep in mind my packets are sent over the same machine, different port(I wrote tiny python server that I send data to with telnet):
1.the ethernet header doesn't display anything that looks correct when packets are sent over localhost (When I use my program on internet packets, MAC adresses are dosplayed correctly though)
2.Through trial and error, I've determined that the structure iphdr starts exactly 16 bytes after the start of the packet buffer, as opposed to the expected 14 bytes, the size of the ethernet header
Those observations lead me to ask the following questions: When packets are sent over local host, do we use another protocol on layer 2? Is there anything at all that separates the packet headers? Are the iphdr and tcphdr structures defined in ip.h and tcp.h obsolete?
There really isn't a layer 2 protocol, as there's no real network adapter.
However, there are fake layer 2 headers provided to programs that capture traffic. What fake headers are provided are operating-system-dependent.
On Linux, the fake layer 2 headers are fake Ethernet headers.
On *BSD, OS X, iOS, and, I think, Solaris 11, they're either DLT_NULL or DLT_LOOP headers, as described in the list of libpcap/WinPcap/pcap/pcap-ng link-layer header types.
However:
if you're capturing on the "any" device, the headers are DLT_LINUX_SLL headers, which are 16 bytes long.
If you are using pcap or any pcap wrapper, you MUST, without exception, call
pcap_datalink()
, or the wrapper's equivalent, before trying to parse any packets you capture or read from a savefile. You MUST NOT assume the packets will have ANY particular link-layer header type.