Say you want to sniff TCP/IP packets on your network. That's pretty easy, right? Use libpcap, receive packets from the network interface and we're done. But before you can extract the IP header from a received packet you need to strip layer 2 header.

It's not that easy. Libpcap tries to help only a bit - it is possible to get the data link type of the network interface. But this is useless without the knowledge of how to extract IP from given data link type.

Most software use hardcoded offsets for the most common data link types. Here's the relevant code in few popular programs:

• p0f v3
• nmap
• hping3
• libnids

Hardcoded offsets:

• †: #if (FREEBSD||OPENBSD||NETBSD||BSDI||MACOSX)

• ‡: #ifdef SOLARIS

Those programs are in agreement only about:

Additionally it may be important to remove 802.1Q VLAN header from DLT_EN10MB, for example libnids has the following code:

case DLT_EN10MB:
    if (hdr->caplen < 14)
        return;
    /* Only handle IP and 802.1Q VLAN tagged packets */
    if (data[12] == 8 && data[13] == 0) {
        /* Regular ethernet */
        nids_linkoffset = 14;
    } else if (data[12] == 0x81 && data[13] == 0) {
        /* Skip 802.1Q VLAN and priority information */
        nids_linkoffset = 18;
    } else
        /* non-ip frame */
        return;
    break;

Furthermore, decoding of DLT_IEEE802_11 in libnids contains pretty complex logic.

Opposite strategy is chosen by p0f - it tries to guess the offset of IPv4 or IPv6 headers if the data link type is unrecognized.

Finally, here's the official tcpdump/libpcap documentation:

• http://www.tcpdump.org/linktypes.html