I am delving into pcap which is a low level C library to capture network traffic. It seems to be simple to use but is documented grudgingly, as if the reader really shouldn’t need documentation (as is typical of Unix documentation). Virtually all of the information on this page was gleaned thru experiment or Google searches, rather than Apple documentation or references by Apple to standards.

Despite the fact that my DSL modem connects to my Mac via 802.11, pcap delivers packets with Ethernet headers prepended to the internet packets. I suppose that the radio traffic includes the Ethernet headers which include the 2 standard 48 bit MAC addresses.

There are the perennial bit and byte ordering problems. The packets are delivered with incoming bytes in ascending addresses, which is a conventional and logical hardware pattern. I have not yet worked my way down to the payload yet!

I found the IP addresses of the two ends of the two ping protocol players located in what appear to be intact Internet packets which immediately followed the Ethernet header.

This program probes available network devices on my machine that are accessible to pcap. Only device “en1” elicits traffic during a concurrent ping operation. The ‘device’ parameter in the routine ‘pcap_open_live’ thus requires the value “en1” which is perhaps a clue that I should expect Ethernet formats.

When I was expecting an 802.11 header I wrote:
The IEEE document is at the interface between the two worlds; it must speak of transmission bit order as well as program order. Working from section 7 of the IEEE spec the header for a 802 packet carrying a IP packet, which the standard refers to as a ‘data packet’, should begin in binary temporal transmission order: 00010000. They transmit low bits first so this should produce a header beginning 0x08 as delivered by pcap.

The pcap routine pcap_datalink returns value 1 according to this program which I now take to mean that I should expect Ethernet headers.

Here is the current state of my art. I wait for packets and routine hndl interprets each. Short names are kept for each MAC address and each IP address. There is an optional numeral argument n to the command. If n>0 then the contents of n records will be put into a file called “log”. If n=0 then the pre-existing file “log” will be interpreted.

Caution leads us to understand Address Resolution Protocol so as to ignore it.

Here are some pointers I have found mainly thru Google:
Apple’s man Pages
hyperlinked and prettified header files for pcap
802.11 header explanation?
pcap-bpf.h (innards)
pcap lore
Ethernet frame types and the EtherType field (better EtherType?)
802.11 frame header (802.11 frame header)
IEEE Wireless LAN Medium Access Control
struct sockaddr *
ARP better ARP format info that follows 14 byte header ARP format
IANA Protocol Registries
IP packet header spec
IP Header Protocol Numbers byte 9 in IP Header (TCP=6)
TCP
Standard IP Ports


C printf format details
To be Googled:
About the code

When the code finds packets it cannot explain it calls nested routine p with 1 in the last argument. p prints “ding” and emits a beep. p also prints the packet in network order starting at the offset which is the first argument.