Hi, I'm writing program for monitoring FTP traffic using raw sockets. Now, I am able to determine start of data in TCP packet using this code:
// char * packet;
// struct * iphdr;
// struct * tcphdr;
// ...
// check, whether sniffed ethernet frame contains IP and TCP
char * data;
data = (packet + sizeof (struct ethhdr) + sizeof (struct tcphdr) + (header_ip->ihl * 4) + header_tcp->doff) + 4;
This works fine, but I have to add the "magic" number 4 to data pointer. Without adding it, the final string starts with few meaningless characters.
Is there any clean solution how to determine start of transfered data? (without using any specialized libraries such as libcap etc.)
Thanks.