c - OSI Layers on local host -

i wrote small application try display protocol headers of captured packets. packets captured libpcap's pcap_loop. way program works follows: wrote own headers based of structures defined in if_ether.h ip.h , tcp.h. pcap_loop sets char pointer beginning of packet, , step through packet, casting appropriate structure each time, , incrementing pointer size of header. it's important remember question isn't code specific; code works there logical flaws dont undestand; keep in mind packets sent on same machine, different port(i wrote tiny python server send data telnet):

1.the ethernet header doesn't display looks correct when packets sent on localhost (when use program on internet packets, mac adresses dosplayed correctly though)

2.through trial , error, i've determined structure iphdr starts 16 bytes after start of packet buffer, opposed expected 14 bytes, size of ethernet header

those observations lead me ask following questions: when packets sent on local host, use protocol on layer 2? there @ separates packet headers? iphdr , tcphdr structures defined in ip.h , tcp.h obsolete?

when packets sent on local host, use protocol on layer 2?

there isn't layer 2 protocol, there's no real network adapter.

however, there fake layer 2 headers provided programs capture traffic. fake headers provided operating-system-dependent.

on linux, fake layer 2 headers fake ethernet headers.

on *bsd, os x, ios, and, think, solaris 11, they're either dlt_null or dlt_loop headers, described in the list of libpcap/winpcap/pcap/pcap-ng link-layer header types.

however:

through trial , error, i've determined structure iphdr starts 16 bytes after start of packet buffer

if you're capturing on "any" device, headers dlt_linux_sll headers, 16 bytes long.

if using pcap or pcap wrapper, must, without exception, call pcap_datalink(), or wrapper's equivalent, before trying parse any packets capture or read savefile. must not assume packets have any particular link-layer header type.