|Version 1 (modified by perry, 6 years ago) (diff)|
libtrace supports a variety of headers and can properly decode them and use them to find various parts of a packet.
Packet Metadata pseudo headers
These headers are added by the kernel (or capture software) to add additional metadata about a packet.
How to get these headers: trace_get_meta() (libtrace 3.0.4+)
How to skip one of these headers: trace_get_payload_from_meta() (libtrace 3.0.4+)
This header is added by the linux kernel on variety of capture formats, and can be generated by libtrace internally when interoperating with libpcap. This header most notably contains a simple direction header.
This header is added by drivers when capturing radio frames. These frames contain data such as signal strength of the packet when it was captured.
Libtrace knows enough to skip this header when looking for a higher level protocol, but otherwise generally ignores it.
Layer two (link layer) headers
These are usually the first headers that are actually passed over the wire.
How to get these headers: trace_get_layer2() (libtrace 3.0.4+)
How to skip one of these headers: trace_get_payload_from_layer2() (libtrace 3.0.4+)
- 802.11 (aka Wifi)
- 802.3 (aka Ethernet II)
- ATM (Note skipping the ATM header skips the LLCSNAP header following it too)
Layer 2.5ish headers
These are headers that sit above layer2, but below layer3.
- MPLS (The payload type of MPLS is guessed from the first nibble of the payload)
Layer three (Network) headers
How to get these headers: trace_get_layer3()
- IPv4 (also trace_get_ip(), trace_get_payload_from_ip())
- IPv6 (also trace_get_ip6(), trace_get_payload_from_ip6())
When skipping IPv4/IPv6 headers, libtrace will skip over an IPv6 header tunnelled an IPv4 packet (as with 6to4).
Protocols that run over IPv4 and IPv6.
How to get these headers: trace_get_transport()
- TCP (also trace_get_tcp())
- UDP (also trace_get_udp())
- ICMP (also trace_get_icmp(), while libtrace can look inside an ICMP packet, it won't skip into one when looking for another header)