Vi scrivo le definizioni di header IP e pacchetto:

typedef struct _IPHdr
{
u_int8_t ip_verhl; /* version & header length */
u_int8_t ip_tos; /* type of service */
u_int16_t ip_len; /* datagram length */
u_int16_t ip_id; /* identification */
u_int16_t ip_off; /* fragment offset */
u_int8_t ip_ttl; /* time to live field */
u_int8_t ip_proto; /* datagram protocol */
u_int16_t ip_csum; /* checksum */
struct in_addr ip_src; /* source IP */
struct in_addr ip_dst; /* dest IP */
} IPHdr;




typedef struct _Packet
{
struct pcap_pkthdr *pkth; /* BPF data */
u_int8_t *pkt; /* base pointer to the raw packet data */

Fddi_hdr *fddihdr; /* FDDI support headers */
Fddi_llc_saps *fddisaps;
Fddi_llc_sna *fddisna;
Fddi_llc_iparp *fddiiparp;
Fddi_llc_other *fddiother;

Trh_hdr *trh; /* Token Ring support headers */
Trh_llc *trhllc;
Trh_mr *trhmr;

SLLHdr *sllh; /* Linux cooked sockets header */

PflogHdr *pfh; /* OpenBSD pflog interface header */

EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */
VlanTagHdr *vh;
EthLlc *ehllc;
EthLlcOther *ehllcother;

WifiHdr *wifih; /* wireless LAN header */

EtherARP *ah;

EtherEapol *eplh; /* 802.1x EAPOL header */
EAPHdr *eaph;
u_int8_t *eaptype;
EapolKey *eapolk;

IPHdr *iph, *orig_iph; /* and orig. headers for ICMP_*_UNREACH family */
u_int32_t ip_options_len;
u_int8_t *ip_options_data;

TCPHdr *tcph, *orig_tcph;
u_int32_t tcp_options_len;
u_int8_t *tcp_options_data;

UDPHdr *udph, *orig_udph;
ICMPHdr *icmph, *orig_icmph;

echoext *ext; /* ICMP echo extension struct */

u_int8_t *data; /* packet payload pointer */
u_int16_t dsize; /* packet payload size */
u_int16_t alt_dsize; /* the dsize of a packet before munging
(used for log)*/

u_int8_t frag_flag; /* flag to indicate a fragmented packet */
u_int16_t frag_offset; /* fragment offset number */
u_int8_t mf; /* more fragments flag */
u_int8_t df; /* don't fragment flag */
u_int8_t rf; /* IP reserved bit */

u_int16_t sp; /* source port (TCP/UDP) */
u_int16_t dp; /* dest port (TCP/UDP) */
u_int16_t orig_sp; /* source port (TCP/UDP) of original datagram */
u_int16_t orig_dp; /* dest port (TCP/UDP) of original datagram */
u_int32_t caplen;

u_int8_t uri_count; /* number of URIs in this packet */

void *ssnptr; /* for tcp session tracking info... */
void *cloned_ssnptr;
void *ftrptr;
void *flow; /* for flow info */
void *streamptr; /* for tcp pkt dump */

Options ip_options[40]; /* ip options decode structure */
u_int32_t ip_option_count; /* number of options in this packet */
u_char ip_lastopt_bad; /* flag to indicate that option decoding was
halted due to a bad option */
Options tcp_options[TCP_OPTLENMAX]; /* tcp options decode struct */
u_int32_t tcp_option_count;
u_char tcp_lastopt_bad; /* flag to indicate that option decoding was
halted due to a bad option */

u_int8_t csum_flags; /* checksum flags */
u_int32_t packet_flags; /* special flags for the packet */
int preprocessors; /* flags for preprocessors to check */
} Packet;


Quello che devo fare è confrontare il valore corrente nel pacchetto e verificare se il destIP corrisponde ad un dato IP e se è un pacchetto TCP op se ha quel destIP ed è un pck ICMP, lo stesso se è UDP in tal caso ci sarà una variabile "label" che assume valore "attack".