3

I'm fairly new to C programming language and packet capturing. Right now I'm writing a simple program (using Visual Studio 2010 express) to decode a packet trace capture file. I read a number of guides, but most of them are for linux/unix. I managed to include wpcap libraries, but now i need structs defined in the system that are intended to make decoding Internet packet headers easier.

struct ether_header in /usr/include/sys/ethernet.h
struct in_addr in /usr/include/netinet/in.h
struct ip in /usr/include/netinet/ip.h
struct udphdr in /usr/include/netinet/udp.h
struct tcphdr in /usr/include/netinet/tcp.h

Up until now I understood that winsock2 must be included for in.h, but what about ethernet, ip, tcp/udp? What should i do to manage decoding related to these headers? is it same winsocket? if it is, where could i find simple explanation of what methods to use?

OS: Win 7

Medardas
  • 531
  • 2
  • 8
  • 21
  • 1
    Is the question about capturing or about decoding the contents of an existing dump file? ... title suggests the former, text the latter. – 0xC0000022L Nov 23 '11 at 21:57
  • i just want to know what should i use instead of those header files I typed here – Medardas Nov 23 '11 at 22:10

3 Answers3

4

Actually, most of those headers were originally intended to make writing the BSD kernel networking stack easier, not making decoding packet headers in sniffers easier; they're present for user programs in part for historical reasons.

I'd suggest getting the source to recent versions of tcpdump or WinDump and making your own copies of the corresponding header files in it; the ether.h, ip.h, udp.h, and tcp.h files from tcpdump/WinDump are taken from BSD-derived operating systems so that tcpdump/WinDump don't have to depend on the operating system supplying those headers or on it supplying particular versions of those headers (not all of the operating systems on which tcpdump/WinDump can run supply versions that work well with tcpdump/WinDump, with some of them requiring special hackery for tcpdump and some others not supplying them at all - Windows, for example, doesn't supply them at all, as you've discovered).

You can get the tcpdump source from tcpdump.org, and the WinDump source from winpcap.org (look under "WinDump 3.9.5 Source Code Download"). The WinDump source is in a ZIP file rather than a gzipped tar file, so it might be easier to unpack on Windows, and might have Windows CR-LF line endings rather than UN*X LF line endings, so you might want to try the WinDump versions.

1

Even though you're working on Windows, as you're using libpcap you might get some mileage from Unix Network Programming vol. 1 and TCP/IP illustrated Vol. 1. You can buy these new or secondhand off Amazon Marketplace. This will explain the headers and other related items.

ConcernedOfTunbridgeWells
  • 64,444
  • 15
  • 143
  • 197
1

I only include these (in this order)

#include <winsock2.h>
#include <windows.h>
dashesy
  • 2,596
  • 3
  • 45
  • 61