获取ARP包的大小

Question

我目前正在将一个数据包分解为多个标头。

这是我当前的代码：

void analyse(struct pcap_pkthdr *header, const unsigned char *packet, int verbose) {


    // Define headers and payload
    const struct ether_header *ethernet = NULL;
    const struct ether_arp *arp = NULL;
    const struct ip *ip = NULL;
    const struct tcphdr *tcp = NULL;
    const char *payload = NULL;

    /* Ethernet header is the first data block of packet **/
    ethernet = ( struct ether_header* ) packet;

    // ARP packet following
    if( ntohs( ethernet->ether_type ) == ETHERTYPE_ARP ) {

        arp = ( struct ether_arp* ) ( packet + ETH_HLEN );

        // If the operation performed by the sender is a reply, we increment the ARP Response Counter
        if( ntohs(arp->ea_hdr.ar_op ) == 2 ) {

            arpResponsesCounter++;

        }

    } else { // IP packet following

        ip = ( struct ip* ) ( packet + ETH_HLEN );

    }

    // ARP header and IP header don't have the same size
    if( arp == NULL ) {

        u_int shift_size = (ip->ip_hl)*4;

    } else {


    }


}

根据 http://unix.superglobalmegacorp.com/BSD4.4/newsrc/netinet/ip.h.html 和 http://unix.superglobalmegacorp.com/Net2/newsrc/netinet/if_ether.h.html ，IP 标头的大小由 (ip->ip_hl)*4; 给出，但我不知道如何获取 ARP 标头的大小。 我需要它来正确定义 TCP 标头指针。

谢谢

Answer 1

我认为你很困惑。 ARP 数据包是 ARP 头。 ARP 本身就是一个协议，它不像 IP 那样在其数据包中包含其他协议作为有效负载。它是正确的链路层协议，就像 ICMP 是网络层协议一样。两者都是顶层协议，都不承载其他协议。

如果您知道网络的第 2 层和第 3 层地址的大小（以太网为 48 位，IPv4 为 32 位），您可以确定网络上 ARP 数据包的大小。

Hardware Type is two octets
Protocol Type is two octets
Hardware Address Length is one octet
Protocol Address Length is one octet
Operation is two octets
Sender Hardware Address is Hardware Address Length octets
Sender Protocol Address is Protocol Address Length octets
Destination Hardware Address is Hardware Address Length octets
Destination Protocol Address is Protocol Address Length octets

基本上，您有八个八位字节，加上两倍的硬件地址长度和两倍的协议地址长度。

对于以太网上的 IPv4，这意味着 ( 8 + ( 2 * 6 ) + ( 2 * 4 ) ) = 28。