[Snort-devel] quesion about snort Packet type
fygrave at ...1...
Tue Dec 26 05:36:11 EST 2000
On Tue, Dec 26, 2000 at 04:59:24AM -0500, Joseph Nicholas Yarbrough wrote:
> Does snort set the pointers (tcph, iph, udph, and icmph) in Packet to null if
> they are not valid. (i.e. if the Packet is not tcp, tcph is null) If not, how
> do I determine which I should use?
yes. You should first check out if p !=NULL then p->iph !=NULL, if it isn't,
check out p->ip_h->ip_proto, if it is IPPROTO_TCP and p->tcph !=NULL then tcp
packet was processed successefully, if it is IPPROTO_UDP and p->udph !=NULL
then udp.. same with icmp ;-)
> Also, what are orig_iph, orig_tcph, orig_udph, and orig_icmph for? Are the
They are needed when icmp unreach datagram is being decoded/printed.
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
More information about the Snort-devel