How to get IP address from ICMP packets using jnetpcap

Question

I am using jnetpcap to analyze pcap files. I know how to get addresses when I encounter IP header

if(packet.hasHeader(ip)&&packet.hasHeader(tcp)&&tcp.flags_SYN())
        {       
        sIP = packet.getHeader(ip).source();
        sourceIP = org.jnetpcap.packet.format.FormatUtils.ip(sIP);

but I don't know how to get the address when I have the ICMP header. I tried this

else if(packet.hasHeader(icmp))
        {
        sIP=packet.getHeader(icmp).source();
        sourceIP = org.jnetpcap.packet.format.FormatUtils.ip(sIP);

but apparently, it isn't valid. Any ideas? Thank you in advance

UPDATE: I used

if(packet.hasHeader(ip, 1)) {
    sIP=ip.source();
    sourceIP = org.jnetpcap.packet.format.FormatUtils.ip(sIP);}

but I got an error:
Exception in thread "main" java.lang.NullPointerException at diplomatiki.Ex2.main(Ex2.java:83)

Line 83 contains the command:

 sIP=packet.getHeader(ip,1).source();

I tried to hit Mark's advice, and added

System.out.println(packet.getState().toDebugString());

I realized that the program got stuck on the third packet, so I tried to get what's in the fourth. This is what I got:

JMemory: JMemory@4b8838class org.jnetpcap.packet.JPacket$State: size=240 bytes
JMemory: owner=packet.JScanner.class(size=136528/offset=35128)
JPacket.State#004: sizeof(packet_state_t)=120
JPacket.State#004: sizeof(header_t)=40 and *3=120
JPacket.State#004:   pkt_header_map=0x16
JPacket.State#004:        pkt_flags=0x0
JPacket.State#004: pkt_header_count=3
JPacket.State#004:      pkt_wirelen=62
JPacket.State#004   : [  Protocol(ID/Flag) | Start | Prefix | Header | Gap | Payload | Postfix ]
JPacket.State#004[0]: [  ETHERNET( 1/0800) |     0 |      0 |     14 |   0 |      48 |       0 ]
JPacket.State#004[1]: [       IP4( 2/0800) |    14 |      0 |     20 |   0 |      28 |       0 ]
JPacket.State#004[2]: [       TCP( 4/0800) |    34 |      0 |     28 |   0 |       0 |       0 ]

Does it say anything to you?

Answer 1

Hi the correct usage is to use the packet.hasHeader(ip, 1). This will get second instance of IPv4 and binding it with the packet. Also note that your usage of getHeader is redundant. The hasHeader automatically binds the header to packet if the header exists.

i.e. if(packet.hasHeader(ip, 1)) { sIP=ip.source(); sourceIP = org.jnetpcap.packet.format.FormatUtils.ip(sIP); }

To help visualize and for debugging purposes and see exactly which headers have been dissected and are stored in the packet state table use the following code snippet to dump the contents:

System.out.println(packet.getState().toDebugString());

Hope this helps.

Answer 2

You are still using getHeader instance 1 where it doesn't exist (i.e. in 4th packet). Again, I would advise you to use hasHeader instead. Same result but does not throw null exceptions when the header instance does not exist. If you also need ICMP header then combine them on a single if() statement:

if(packet.hasHeader(ip, 1) && packet.hasHeader(icmp)) { sIP = ip.source(); }