[Ntop-misc] Packet misalignment (4 bytes out)
Matthew Prowse
matthew at majp.co.uk
Mon Dec 10 20:43:30 CET 2007
Hi,
I have emailed Luca describing the problem described below, and wondered
if anyone else has seen it or can explain it.
I have compiled the latest PF_RING from svn into kernel-2.6.9-42 (the
default for CentOS 4.4, iirc) using the rpm instructions at SYNful
packet. If I compile pcount against libpfring and modify it to output,
or wireshark against libpcap with a pfring backend, I capture packets
where the destination MAC address begins at offset 0x0004.
0000 22 00 2a 00 *00 18 39 4f 55 e9* 00 15 c5 3b 69 98
0010 08 00 45 00 00 3e 99 3a 40 00 40 11 18 5c c0 a8
0020 01 64 c2 a8 04 64 80 7b 00 35 00 2a 89 54 5b fa
The expected MAC addresses start at 0004 and 000a instead of 0000 and 0006.
This happens consistently for every packet.
Any ideas?
Matt
More information about the Ntop-misc
mailing list