The code written to interpreter captured bytes is given below. Which basically locate source address, destination address, source port, destination port, and protocol from various headers from packet captured. After it is done then only TCP and UDP packets are stored into a file. so it means only those packets having protocol number 6,17 should be saved but when i go through the file the packets with protocol 0,20,255,100,8,66 are also saved more over strange IP address are also seen like.2.8.2.8, 17.0.0.0, 66.0.0.0, 0.0.0.0 etc what are these packets, am i correct in my approach. – None – 2013-02-11T09:57:37.917

1if (ntohs (eptr->ether_type) == ETHERTYPE_IP) struct iphdr *ip4h = (struct iphdr )(packet + sizeof(struct ethhdr) ); ip_hdr_len =ip4h->ihl4; next_protocol=ip4h->protocol;next_protocol=ip4h->protocol;switch (next_protocol) { case 6:TCP struct tcphdr tcph=(struct tcphdr)(packet + ip_hdr_len + sizeof(struct ethhdr)); case 17:UDP struct udphdr udph = (struct udphdr)(packet + ip_hdr_len + sizeof(struct ethhdr)); – None – 2013-02-11T10:16:34.253

From your description, there's definitely something wrong with the packet handling code, but I can't tell what from that snippet. I suspect the easiest thing will be to save some raw packets that get weird results, see what tcpdump parses them as (so you know what the should parse out as),then step through your code in a debugger and see why it doesn't get the same result. – Gordon Davisson – 2013-02-13T04:46:10.573