How can I parse an ethernet packet using libpcap?

Question

I'm using libpcap in C++ for reading packets from pcap files, e.g.:

rc = pcap_next_ex((pcap_t*)handle, &header, (const unsigned char**)packet);

I would like to parse the packets header (without the payload).

For example, how can I parse a given packet in order to extract its source and destintation ip addresses?

thanks

Answer 1

Checkout the code sample for libpcap http://www.tcpdump.org/pcap.html

In the got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet); function you have a pointer *packet that points to the start of the packet. For parsing the ethernet headers you just need to use the corresponding pointer

ethernet = (struct sniff_ethernet*)(packet);

For IP layer

ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);

If you want to parse other protocols, you just need to define your own structures. If you want (or do not want) to parse the payload then you can (or not) define a pointer to the start of the payload.