Packet data extraction

**shinpin** · 08-08-2011

I'm doing an ethernet based project where in i receive udp packets over the network. I have to basically strip off the first 42 bytes (i.e., the ethernet, ip and udp headers) and retain the rest (which contains another header and the payload data). I have the code for the packet analyzer to capture the packets but i don't need the entire packet as mentioned above. The code is in C.
So if anyone can help please do let me know how i can proceed. I can't use something like wireshark as there is loss of packets (tried and tested). Hence i was using another sniffer.

**~~CommonTater~~** · 08-08-2011

If you're using sendto() and recvfrom() the header information is handled automatically by the sockets library. Your application sees only the user data portion of the datagram.

**Salem** · 08-08-2011

Packet data extraction - Dev Shed

**valthyx** · 08-08-2011

Originally Posted by shinpin

I'm doing an ethernet based project where in i receive udp packets over the network. I have to basically strip off the first 42 bytes (i.e., the ethernet, ip and udp headers) and retain the rest (which contains another header and the payload data). I have the code for the packet analyzer to capture the packets but i don't need the entire packet as mentioned above. The code is in C.
So if anyone can help please do let me know how i can proceed. I can't use something like wireshark as there is loss of packets (tried and tested). Hence i was using another sniffer.

The socket library will automatically do this for you. You do no have to strip. But from what you are saying, it seems that you are using raw sockets. Check this out http://en.wikipedia.org/wiki/User_Datagram_Protocol. You could strip out all the headers based on the number of bytes.

**shinpin** · 08-08-2011

Originally Posted by CommonTater

If you're using sendto() and recvfrom() the header information is handled automatically by the sockets library. Your application sees only the user data portion of the datagram.

hey.. no im not using the functions sendto() or rcvfrom(). I'm using a packet capture software and have downloaded its code to receive the packets. There is no packet loss and also the code doesn't have the sys/socket.h library included, and yet it works perfectly.
I tried separately using the recvfrom() function but it gave me no output. Nothing was displayed.
So probably i've gone wrong somewhr, pls do let me know.
Thanks.

**shinpin** · 08-08-2011

Originally Posted by valthyx

The socket library will automatically do this for you. You do no have to strip. But from what you are saying, it seems that you are using raw sockets. Check this out User Datagram Protocol - Wikipedia, the free encyclopedia. You could strip out all the headers based on the number of bytes.

So what ur saying is that i should store the packets that i receive in a buffer and then remove the number of bytes that i need to?

**valthyx** · 08-08-2011

Originally Posted by shinpin

So what ur saying is that i should store the packets that i receive in a buffer and then remove the number of bytes that i need to?

That is one way. However, programmers normally use the "struct" defined in the header files for extracting the data. You could first strip the ethernet header, then ip header, then transport layer. I am not very sure where the "struct" is defined in linux, socket.h? or maybe packet.h.

Code:

struct ethhdr *eHeader;
struct iphdr *ipHeader;
struct tcphdr *tcpHeader;

You have to include the right header before using the above headers.

**~~CommonTater~~** · 08-08-2011

Originally Posted by shinpin

hey.. no im not using the functions sendto() or rcvfrom(). I'm using a packet capture software and have downloaded its code to receive the packets. There is no packet loss and also the code doesn't have the sys/socket.h library included, and yet it works perfectly.
I tried separately using the recvfrom() function but it gave me no output. Nothing was displayed.
So probably i've gone wrong somewhr, pls do let me know.
Thanks.

Try again... There's no reason to mess with raw sockets and other people's code when you have something as simple as recvfrom() to work with... The reason nothing was displayed is that recvfrom() receives the datagram into memory...if you want to see it, use printf() or puts().

**shinpin** · 08-08-2011

Originally Posted by valthyx

That is one way. However, programmers normally use the "struct" defined in the header files for extracting the data. You could first strip the ethernet header, then ip header, then transport layer. I am not very sure where the "struct" is defined in linux, socket.h? or maybe packet.h.

Code:

struct ethhdr *eHeader;
struct iphdr *ipHeader;
struct tcphdr *tcpHeader;

You have to include the right header before using the above headers.

alrite thanks a lot.. i'll try that out

**shinpin** · 08-08-2011

Originally Posted by CommonTater

Try again... There's no reason to mess with raw sockets and other people's code when you have something as simple as recvfrom() to work with... The reason nothing was displayed is that recvfrom() receives the datagram into memory...if you want to see it, use printf() or puts().

Yes i have used printf.. This is the code.

Code:

int main()
{
        int sock;
        int addr_len, bytes_read;
        char recv_data[1024];
        struct sockaddr_in server_addr , client_addr;


        if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
            perror("Socket");
            exit(1);
        }

        server_addr.sin_family = AF_INET;
        server_addr.sin_port = htons(5000);
        server_addr.sin_addr.s_addr = INADDR_ANY;
        bzero(&(server_addr.sin_zero),8);


        if (bind(sock,(struct sockaddr *)&server_addr,
            sizeof(struct sockaddr)) == -1)
        {
            perror("Bind");
            exit(1);
        }

        addr_len = sizeof(struct sockaddr);
		
	printf("\nUDPServer Waiting for client on port 5000");
        fflush(stdout);

	while (1)
	{

          bytes_read = recvfrom(sock,recv_data,1024,0,
	                    (struct sockaddr *)&client_addr, &addr_len);
	  

	  recv_data[bytes_read] = '\0';

          printf("\n(%s , %d) said : ",inet_ntoa(client_addr.sin_addr),
                                       ntohs(client_addr.sin_port));
          printf("%s", recv_data);
	  fflush(stdout);

        }
        return 0;
}

**~~CommonTater~~** · 08-08-2011

So what's the problem with that? Is there something in there that's not working?

**Salem** · 08-08-2011

Well apart from the potential buffer overflow and underflow issues.

Code:

          bytes_read = recvfrom(sock,recv_data,sizeof(recv_data)-1,0,  // prevent overflow
                        (struct sockaddr *)&client_addr, &addr_len);
      
      if ( bytes_read <= 0 ) break; // prevent underflow
      recv_data[bytes_read] = '\0';

**shinpin** · 08-09-2011

Originally Posted by CommonTater

So what's the problem with that? Is there something in there that's not working?

okay i just figured out something. this packet capture mechanism does not use the regular BSD sockets. It uses the library libpcap, and some ring-buffering mechanism. So i don't think i can use something like recvfrom() and other socket stuff..

So i just want to strip off the first 42 bytes and retain the rest. how could i do that? if u have any code samples that i could see or any other inputs, that would really help..
I cant use any other way to capture the packets as there is a lot of packet slip. This mechanism is very efficient that way since i'm hardly facing any such loss..
Thanks in advance

**~~CommonTater~~** · 08-09-2011

Originally Posted by shinpin

okay i just figured out something. this packet capture mechanism does not use the regular BSD sockets. It uses the library libpcap, and some ring-buffering mechanism. So i don't think i can use something like recvfrom() and other socket stuff..

So i just want to strip off the first 42 bytes and retain the rest. how could i do that? if u have any code samples that i could see or any other inputs, that would really help..
I cant use any other way to capture the packets as there is a lot of packet slip. This mechanism is very efficient that way since i'm hardly facing any such loss..
Thanks in advance

So in other words you're trying to read packets that aren't yours to read?

**MK27** · 08-09-2011

Originally Posted by CommonTater

So in other words you're trying to read packets that aren't yours to read?

That's what libpcap is for, in a sense. However, if that "sense" is to imply this is nothing but mischief, then keep in mind there are many more commonplace and legitimate reasons to do this than there are mischievous ones (and you don't have to bother writing your own prog for that anyway). After all, the network layer is built on top of this (the data-link layer) and that's programmed by somebody...and it can present issues and complications which require observation or resolution on that data-link lower level.

@shinpin: If there is a good reason for you to be using pcap to do this (such as that's the assignment), then fine. But don't confuse it with the higher level "socket" layer or try to use socket API stuff with it. Have you seen this yet?

Programming with pcap

A good intro/tutorial about using libpcap.

However, if there the reason you are using this pcap based thing is because you thought that was the best idea, think again. Use the socket API!

Thread: Packet data extraction

Thread Tools

Search Thread

Display

Packet data extraction

Similar Threads

WinPCap - Packet data containing strings?

packet data

extraction of the C/C++ help

packet data format check

Data extraction from file