#libpcap: why can't I get the packet starting at some layer

2 messages · Page 1 of 1 (latest)

timid timber Apr 13, 2023, 8:24 PM

When using libpcap, I can write a filter like tcp and src host localhost, but if I call pcap_next_ex or similar, I get the full packet, including the link layer header and such.
As far as I can tell, there is no way to have libpcap remove the outer headers and leave me only with e.g. the tcp header, despite the library clearly having the code required to do so, as the filters are impossible otherwise.
What is the reason for this limitation/what is the magic function I failed to find?

wild wharfBOT Apr 13, 2023, 8:24 PM

When your question is answered use !solved to mark the question as resolved.

Remember to ask specific questions, provide necessary details, and reduce your question to its simplest form. For tips on how to ask a good question run !howto ask.