arunpushkar
February 11th, 2013, 11:43 AM
I have made an packet capture application running on intel machine, it is capturing packets with src address- 17.0.0.0 destination ip- 66.0.0.0, source port- 0, destination port- 0, and protocol- 0 what does these packets mean ?
The code written to interpreter captured bytes is given below. Which basically locate source address, destination address, source port, destination port, and protocol from various headers from packet captured. After it is done then only TCP and UDP packets are stored into a file. so it means only those packets having protocol number 6,17 should be saved but when i go through the file the packets with protocol 0,20,255,100,8,66 are also saved more over strange IP address are also seen like.2.8.2.8, 17.0.0.0, 66.0.0.0, 0.0.0.0 etc what are these packets, am i correct in my approach.
inline u_int32_t hash_function(const u_char *packet, int pkt_len) { u_int32_t hash=0; u_int8_t next_protocol; u_int32_t src_ip,dst_ip; u_short src_p,dst_p; unsigned short ip_hdr_len; // Checking if it is a IPv4 or IPv6 packet struct ether_header *eptr; /* net/ethernet.h */ eptr = (struct ether_header *) packet; if (ntohs (eptr->ether_type) == ETHERTYPE_IP) // means it is IPv4 pkt { struct iphdr *ip4h = (struct iphdr *)(packet + sizeof(struct ethhdr) ); ip_hdr_len =ip4h->ihl*4; next_protocol=ip4h->protocol; pktFeatures.src_ip=ntohl(ip4h->saddr); pktFeatures.dst_ip=ntohl(ip4h->daddr); pktFeatures.pkt_len=pkt_len; switch (next_protocol) //Check the Protocol and do accordingly... { case 6: //TCP Protocol { struct tcphdr *tcph=(struct tcphdr*)(packet + ip_hdr_len + sizeof(struct ethhdr)); pktFeatures.src_p=ntohs(tcph->th_sport); pktFeatures.dst_p=ntohs(tcph->th_dport); pktFeatures.protocol=next_protocol; writeBytes((char *)&pktFeatures,sizeof(struct packet_features),WRITE_TO_FILE); } break; case 17: //UDP Protocol { struct udphdr *udph = (struct udphdr*)(packet + ip_hdr_len + sizeof(struct ethhdr)); pktFeatures.src_p=ntohs(udph->uh_sport); pktFeatures.dst_p=ntohs(udph->uh_sport); pktFeatures.protocol=next_protocol; writeBytes((char *)&pktFeatures,sizeof(struct packet_features),WRITE_TO_FILE); } break; default: //Some Other Protocol like ARP FTP etc. { printf(" * Some Other Protocol \n"); } } int rm=0; }/*else if (ntohs (eptr->ether_type) == ETHERTYPE_IPV6) // means it is IPv6 pkt { u_int32_t *s, *d; struct ip6_hdr *ip6h = (struct ip6_hdr *)(packet + sizeof(struct ethhdr) ); ip_hdr_len=320; next_protocol=ip6h->ip6_un1_nxt; // is the next protocol type s = (u_int32_t *) &ip6h->ip6_src, d = (u_int32_t *) &ip6h->ip6_dst; hash=(s[0] + s[1] + s[2] + s[3] + d[0] + d[1] + d[2] + d[3]+ip6h->ip6_un1_nxt); // ip6_un1_nxt is the next protocol type TCP/UDP can be extention header ? need to be catered for }else hash=0; */ return hash; }
The code written to interpreter captured bytes is given below. Which basically locate source address, destination address, source port, destination port, and protocol from various headers from packet captured. After it is done then only TCP and UDP packets are stored into a file. so it means only those packets having protocol number 6,17 should be saved but when i go through the file the packets with protocol 0,20,255,100,8,66 are also saved more over strange IP address are also seen like.2.8.2.8, 17.0.0.0, 66.0.0.0, 0.0.0.0 etc what are these packets, am i correct in my approach.
inline u_int32_t hash_function(const u_char *packet, int pkt_len) { u_int32_t hash=0; u_int8_t next_protocol; u_int32_t src_ip,dst_ip; u_short src_p,dst_p; unsigned short ip_hdr_len; // Checking if it is a IPv4 or IPv6 packet struct ether_header *eptr; /* net/ethernet.h */ eptr = (struct ether_header *) packet; if (ntohs (eptr->ether_type) == ETHERTYPE_IP) // means it is IPv4 pkt { struct iphdr *ip4h = (struct iphdr *)(packet + sizeof(struct ethhdr) ); ip_hdr_len =ip4h->ihl*4; next_protocol=ip4h->protocol; pktFeatures.src_ip=ntohl(ip4h->saddr); pktFeatures.dst_ip=ntohl(ip4h->daddr); pktFeatures.pkt_len=pkt_len; switch (next_protocol) //Check the Protocol and do accordingly... { case 6: //TCP Protocol { struct tcphdr *tcph=(struct tcphdr*)(packet + ip_hdr_len + sizeof(struct ethhdr)); pktFeatures.src_p=ntohs(tcph->th_sport); pktFeatures.dst_p=ntohs(tcph->th_dport); pktFeatures.protocol=next_protocol; writeBytes((char *)&pktFeatures,sizeof(struct packet_features),WRITE_TO_FILE); } break; case 17: //UDP Protocol { struct udphdr *udph = (struct udphdr*)(packet + ip_hdr_len + sizeof(struct ethhdr)); pktFeatures.src_p=ntohs(udph->uh_sport); pktFeatures.dst_p=ntohs(udph->uh_sport); pktFeatures.protocol=next_protocol; writeBytes((char *)&pktFeatures,sizeof(struct packet_features),WRITE_TO_FILE); } break; default: //Some Other Protocol like ARP FTP etc. { printf(" * Some Other Protocol \n"); } } int rm=0; }/*else if (ntohs (eptr->ether_type) == ETHERTYPE_IPV6) // means it is IPv6 pkt { u_int32_t *s, *d; struct ip6_hdr *ip6h = (struct ip6_hdr *)(packet + sizeof(struct ethhdr) ); ip_hdr_len=320; next_protocol=ip6h->ip6_un1_nxt; // is the next protocol type s = (u_int32_t *) &ip6h->ip6_src, d = (u_int32_t *) &ip6h->ip6_dst; hash=(s[0] + s[1] + s[2] + s[3] + d[0] + d[1] + d[2] + d[3]+ip6h->ip6_un1_nxt); // ip6_un1_nxt is the next protocol type TCP/UDP can be extention header ? need to be catered for }else hash=0; */ return hash; }