Ethereal-users: Re: [Ethereal-users] ethernet src and dest addr - from where do they come in lin

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 09 Aug 2005 10:33:01 -0700
John Que wrote:


the "ethernet src and dest addr" (MAC addresses of Src and Dst: ) in
the sniffer - from where do they come in linux?
I suppose that there are from the sk_buff struct,
They come from the raw data in the packet as received by Ethereal (which is the case on *ALL* operating systems; the only exception is interfaces on which libpcap captures in "cooked mode" on Linux, but if you have MAC source and destination addresses, you're not capturing in cooked mode).
See packet_rcv in net/packet/af_packet.c in the kernel source. Note the code inside "if (dev->hard_header)", which, for that sk_buff, moves the "skb->data" pointer backwards, so that it includes the link-layer header in the raw packet data. 


but there in sk_buff a member called mac :
union { 
	  	struct ethhdr	*ethernet;
	  	unsigned char 	*raw;
	} mac;
That pointer is supposed to point to the link-layer header in the raw packet data.