Thread: PCAP parsing ethernet type

Hi, I'm working on a project where I'm parsing pcap files to check network statistics. However, I've come across a problem, the ethernet type seems to be coming up as random numbers. Here's some code snippets

#define ETH_ALEN 6


#pragma pack(1)
struct ether_header
{
u_char ether_dhost[ETH_ALEN]; /* destination eth addr */
u_char ether_shost[ETH_ALEN]; /* source ether addr */
u_short ether_type; /* packet type ID field */
};


...

struct ether_header *eptr;
while (packet = pcap_next(handle,&header))
{
eptr = (struct ether_header *)packet;
printf("ether type = %x\n", ntohs(eptr->ether_type));
}

The output I'm getting for this bit of code is something along the lines of

ether type = 3430
ether type = 230
ether type = 8f6
ether type = 3a34
ether type = 413f
ether type = 3848
ether type = 230
ether type = 3c9c
ether type = 3c9c
ether type = 4552
ether type = ffff
ether type = 230

Can anybody shed some light on what the problem here might be? I've tried with and without the pragma packing as well as attempting to access the data directly (with some pointer manipulation), none of which seems to work.

Thanks for any help

It could be a number of things. Are you sure pcap_next is reading exactly one pcap packet? If it's reading to little or too much, you will be misaligned on subsequent packets. Is it properly checking for errors on read? If a read from the file fails, you might be copying in bogus data from a temporary buffer. This is hard to determine without the rest of your code however.

If you can, run this through gdb. When you read out the packet using pcap_next, print it in hex by doing "p/x *packet@32" to print the first 32 bytes of packet in hex, then correlate this with a hex dump of your pcap file. You can also print out the info in eptr in a similar manner and make sure you don't have any alignment issues and that it interprets all the info correctly. This might help you narrow down where in the process the data is getting corrupted.