UDP header length field is zero always while capturing sflow data from port 6343

Question

I am trying to capture the UDP sflow data from port 6343. I am trying to capture the UDP header information which provides source port, destination port, UDP header length and checksum. I am able to see the ports capturing, but the UDP and checksum fields are 0 and 1 respectively which means the UDP length is not calculated and checksum is also not calculated. Am I missing something here for UDP header length and checksum calculation ?? The following is my code which I use:

#include<stdio.h> //For standard things
#include<stdlib.h>    //malloc
#include<string.h>    //memset
#include<netinet/ip_icmp.h>   //Provides declarations for icmp header
#include<netinet/udp.h>   //Provides declarations for udp header
#include<netinet/tcp.h>   //Provides declarations for tcp header
#include<netinet/ip.h>    //Provides declarations for ip header
#include<sys/socket.h>
#include<arpa/inet.h>
#define PORT 6343
#define PCKT_LEN 65536

void handlepacket(unsigned char *, int);
int sockt;
int i,j;
struct sockaddr_in source,dest; 

int main()
{
    int saddr_size,data_size;
    struct sockaddr_in daddr;
    struct sockaddr_in saddr;
    //struct in_addr in;
    unsigned char *buffer = (unsigned char *)malloc(65536); // Its Big !     Malloc allocates a block of size bytes of memory,returning a pointer to the begining of the block

    struct udphdr *udph = (struct udphdr*)(buffer + sizeof(struct iphdr));


    printf("Starting...\n");
    //Create a raw socket that shall sniff
    sockt = socket(AF_INET ,SOCK_DGRAM ,0);
    if(sockt < 0)
    {
        printf("Socket Error\n");
        return 1;
    }
    memset((char *)&daddr,0,sizeof(daddr));

    //prepare the sockaddr_in structure
    daddr.sin_family = AF_INET;
    daddr.sin_addr.s_addr = INADDR_ANY;
    daddr.sin_port = htons(PORT);

    //Bind
    if(bind(sockt,(struct sockaddr *)&daddr, sizeof(daddr))<0)
    {
      printf("bind failed");
      return 1;
    }
    printf("bind done");

    while(1)
    {
        saddr_size = sizeof saddr;
        printf("waiting for data...");

        //Receive a packet
        data_size = recvfrom(sockt , buffer ,65536 , 0 , (struct sockaddr*)  &saddr , (socklen_t*)&saddr_size);
        if(data_size <0)
        {
            printf("Packets not recieved \n");
            return 1;
        }
        //Now process the packet
        handlepacket(buffer , data_size);


        printf("Packets arrived from %d \n",ntohs(daddr.sin_port));
        printf("Source Port : %d , Destination Port : %d \n", ntohs(udph->source), ntohs(udph->dest)); 

    }
    close(sockt);
    printf("Finished");
    return 0;
}

void handlepacket(unsigned char *buffer, int data_size)
{ 
    //IP header length
    struct iphdr *iph = (struct iphdr *)buffer;
    unsigned short iphdrlen = iph->ihl*4;
    // UDP header length
    struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);

    memset(&source,0,sizeof(source));
    source.sin_addr.s_addr = iph ->saddr;
    memset(&dest,0,sizeof(dest));
    dest.sin_addr.s_addr = iph->daddr;



    printf("UDP Length : %d , UDP checksum : %d \n",ntohs(udph->len), ntohs(udph->check));


}

Answer 1

When use create a socket of type AF_INET / SOCK_DGRAM, the operating system processes and IP and UDP headers and strips them off before passing them to you. What you see in buffer is what immediately follows the UDP header.

You're passed back the source IP and port via fifth parameter to the recvfrom function, and the payload length is passed back as the return value. If there is a problem with the UDP checksum, the OS would discard the packet and your application code would never see it, so it's not something you typically need to worry about on the application level.