-3

I am trying to write a packet sniffer in C. To identify ARP packets, I have defined a structure where the 16 bit integer gives me a hex value which I can compare with the library definition of ARP, i.e ETH_P_ARP from where I can confirm if the packet is ARP.

Structure:

struct ethernet {
unsigned char dest[6];
unsigned char source[6];
uint16_t eth_type;};

I want to do something similar for DHCP, but I am not able to identify it.

chinmay_dd
  • 21
  • 4
  • There are plenty of documentation and references about all major and minor protocols all over the Internet if you just search a little. The [Wikipedia entry](http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol) being a natural starting point. – Some programmer dude Apr 21 '15 at 07:16
  • But how do I uniquely identify it among all other protocols. The packet format does not reveal that it is DHCP. – chinmay_dd Apr 21 '15 at 07:17
  • Maybe you can't find anything because you're looking at the wrong layer. DHCP is an *application*-layer protocol. – Some programmer dude Apr 21 '15 at 07:21

1 Answers1

1

Look for UDP traffic between ports 67 (server) and 68 (client). See this Wikipedia entry for the packet encoding details.

unwind
  • 391,730
  • 64
  • 469
  • 606