This project is read-only.

if (packet.Ethernet.IpV4.Udp.Payload.Length > 0) returns true for Tcp packet

Jun 5, 2011 at 3:22 AM
Edited Jun 5, 2011 at 3:26 AM

Awesome library you've created here I'm having fun.  Ran into this while I'm parsing an offline pcap file which contains a mix of HTTP and DNS traffic.



var query = from packet in communicator.ReceivePackets(-1)
                            select packet;

foreach (Packet packet in query)
                   if (packet.Ethernet.IpV4.Udp.Payload.Length > 0)
                             // Do stuff


I'm probably totally ignorant about how to use your library and apologize if I didn't read enough of the documentation.  But (packet.Ethernet.IpV4.Udp.Payload.Length > 0) returns true when it is a TCP packet.  Looking into the debugger at the packet.Ethernet.IpV4 data type it seems there is data for both UDP and TCP properties.  I'm sure a more correct way I should be doing this would be something like:

if (packet.Ethernet.IpV4.Protocol == IpV4Protocol.Udp)
    // Do stuff
But was curious what's going on above.

Jun 7, 2011 at 9:08 AM

Hi chrisweber,

Pcap.Net allows you to parse any packet however you want, so if youdo packet.Ethernet.IpV4.Udp.Payload it means you've decided to parse the IpV4 payload as UDP even if it's not.

Note that you also assume in this line that the Ethernet payload is IpV4, even though it can be something else in theory.