> If he value
> 0xffff will pick up IPX packets, what would the value be for NCP packets?
NCP isn't a protocol that runs as the same layer as IPX, it's a protocol
that runs *atop* IPX, so, to pick up NCP packets, you don't use a
different value there - you use that value first, and, then, for packets
that *do* have that value, you then check the fields in the IPX header
to see whether the IPX packet in question contains an NCP packet or not.
I'll let Gilbert answer that one, as he's more likely to know the right
answer off the top of his head.
Yep, unfortunately, I do know. :)
NCP over IPX is designated by IPX packet type 17, or by IPX socket 0x0451.
(the following offsets are given assuming that offsets start at 0)
The IPX packet type is one byte at offset 5 from the beginning of the IPX
header.
The IPX destination socket is two bytes at offset 16 from the beginning of the
IPX header.
The IPX source socket is two bytes at offset 28 of the IPX header.
The integer representing the socket is in network order.
You'll have to add in the length of the ethernet header and the LLC header, if
you have one,
to get the offset from the ethernet header so that the offset is compatible with
the libpcap
ether[offset] syntax.
This link has the IPX header format. It's too bad they don't know how to spell
"Novell". :)
http://www.protocols.com/pbook/novel.htm
--gilbert