IP Header

[Climuff Fischer]

Hey.

I am trying to read out the IP header of some packets I am sniffing with my wlan device which is in monitor mode. But how am I able to read out the header? All what I tried did not work. 

At the moment my code looks like this:

#include <iostream>
#include <string>
#include <crafter.h>
/* Collapse namespaces */
using namespace std;
using namespace Crafter;

void PacketHandler(Packet* sniff_packet, void* user) {

cout << "packet found! - " << sniff_packet->GetSize() << endl;

RawLayer* raw_payload = sniff_packet->GetLayer<RawLayer>();
if(raw_payload) {
cout << "beep" << endl;
IPLayer* ip_layer = sniff_packet->GetLayer<IPLayer>();
cout << "[#] IP packet from source IP: " << ip_layer->GetDestinationIP() << endl;

}
}

int main() {

string iface = "mon0";

Sniffer sniff("dst 225.4.5.6",iface,PacketHandler);

sniff.Capture(-1);

return 0;
}

I first tried the IP class instead of IPLayer, but that also did not work.

What am I making wrong?

[Esteban Pellegrino]

One question, the "packet found" legend is printed? My guess is that you are sniffing a network which is encrypted (WEP or WPA)... The IP/TCP,etc header are not in plain text and you need to decrypt them. Or your are sniffing an open network?

--
You received this message because you are subscribed to the Google Groups "libcrafter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to libcrafter+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Climuff Fischer]

The "beep" is ones printed, then the program "crashed"", but without an error or anything else, It is just terminated. I am sniffing my own wlan and the encryption is disabled, so I can see source IP and destination IP with wireshark. In addition, look at my filter expression in the main function. It works, I only see the packets which are sent to 225.4.5.6. This would not be possible if the wlan would be encrypted. 

[Esteban Pellegrino]

Ah, yes. Well, the crash is because you are not checking the return value of sniff_packet->GetLayer<IPLayer>(); which is probably a NULL pointer and you are dereferencing it later on the "cout" line. The return pointer is NULL because there is no IPLayer from libcrafter's points of view. Current libcrafter don't support decoding of packets on a interface in monitor mode :(. The reason is because there are a wireless_80211 and a snap_header which are not supported by libcrafter.

But there is a workaround because I did this on the past, although I can't find that code :-/.  You should find the offset on the raw_payload where the IP layer begins and create another packet from that point and decoding with libcrafter. Your code will look like this :

#include <iostream>
#include <string>
#include <crafter.h>
/* Collapse namespaces */
using namespace std;
using namespace Crafter;

void PacketHandler(Packet* sniff_packet, void* user) {
  cout << "packet found! - " << sniff_packet->GetSize() << endl;

  cout << "beep" << endl;
 
  /* .... You find here the offset to the IP layer ... */
  int ip_offset = 32;
 
  /* Get the raw data buffer */
  const byte* read_data = sniff_packet->GetRawPtr();
  size_t read_length = sniff_packet->GetSize();
 
  /*
   * Create a packet from the offset
   */
  Packet ip_pck(read_data + ip_offset, read_length - ip_offset, IP::PROTO);
 
  IP* ip_layer = ip_pck.GetLayer<IP>();
  if(ip_layer) {