[Snort-devel] quesion about snort Packet type

Fyodor fygrave at ...1...
Tue Dec 26 05:36:11 EST 2000

On Tue, Dec 26, 2000 at 04:59:24AM -0500, Joseph Nicholas Yarbrough wrote:
> Does snort set the pointers (tcph, iph, udph, and icmph) in Packet to null if 
> they are not valid. (i.e. if the Packet is not tcp, tcph is null) If not, how 
> do I determine which I should use?

yes. You should first check out if p !=NULL then p->iph !=NULL, if it isn't,
check out p->ip_h->ip_proto, if it is IPPROTO_TCP and p->tcph !=NULL then tcp
packet was processed successefully, if it is IPPROTO_UDP and p->udph !=NULL
then udp.. same with icmp ;-)

> Also, what are orig_iph, orig_tcph, orig_udph, and orig_icmph for? Are the 

They are needed when icmp unreach datagram is being decoded/printed.

PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

More information about the Snort-devel mailing list