0

I have followed the code in here and fixed the issue for printing out IP address. I perfectly worked when it reads a captured file from my machine and the results are the same with tcpdump. However, when I read another pcap file (captured from the boundary router of a big network), it gives me totally different IP addresses. I found these pcap contains VLAN in the ethernet frames. How can detect if a packet contains a vlan header?

Community
  • 1
  • 1
mazkopolo
  • 391
  • 1
  • 6
  • 21
  • Read the vlan spec to find out the header field values so that you can parse the packet? It will tell you that the ethertype of 802.1q is 0x8100. For QinQ 802.1ad it is 0x88A8. – kaylum Sep 01 '16 at 23:06

1 Answers1

0

You'd have to examine the physical layer protocol (Most likely ethernet nowadays) and determine the ethernet type (the 13th and 14th bytes of the ethernet header).You can view an example list of possible ethernet types here.

If the type is 0x0800 (IPv4) then everything should work as expected.

However, If the ethertype is 0x8100 (802.1Q) you'd have to extract the actual payload type from the VLAN header (the 17th and 18th bytes)

Here is a very crude code to bypass the upper layers starting from a base address pointing at the ethernet beginning

char *get_ip_hdr(char *base) {

    // If frame is not ethernet retun NULL

    uint16_t ether_type = ntohs(*(uint16_t *) (base + 12));
    if (ether_type == 0x0800 ) {
        return base + 14;
    } else if (ether_type == 0x8100 ) {
        // VLAN tag
        ether_type = ntohs(*(uint16_t *) (base + 16));
        if (ether_type == 0x800)  {
            return base + 18;
        }
    }

    return NULL
}

Note be wary of double VLAN tagging and take the necessary similar steps to skip it as well.

mshohayeb
  • 453
  • 6
  • 8