tcpdump mailing list archives
Wrong tcp sequence numbers???
From: Claudio Lavecchia <Claudio.Lavecchia () eurecom fr>
Date: Tue, 21 Sep 2004 12:26:56 +0200
Hello ppl, I got a quite easy question for you guys: I am using a libpcap based packet dissector to sniff WLAN traffic: I read tcp packets using the structure: struct sniff_tcp { u_short th_sport; /* source port */ u_short th_dport; /* destination port */ tcp_seq th_seq; /* sequence number */ tcp_seq th_ack; /* acknowledgement number */ //u_int th_seq; /* sequence number *///u_int th_ack; /* acknowledgement number */
#if BYTE_ORDER == LITTLE_ENDIAN u_int th_x2:4, /* (unused) */ th_off:4; /* data offset */ #endif #if BYTE_ORDER == BIG_ENDIAN u_int th_off:4, /* data offset */ th_x2:4; /* (unused) */ #endif u_char th_flags; #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 #define TH_PUSH 0x08 #define TH_ACK 0x10 #define TH_URG 0x20 #define TH_ECE 0x40 #define TH_CWR 0x80#define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
u_short th_win; /* window */ u_short th_sum; /* checksum */ u_short th_urp; /* urgent pointer */ };but in my code when I try to read the tcp sequence numbers, I get very odd values of sequence number. Here follows the code snippet I use to read sequence number. The values I get do not correspond to the ones I read using ethereal, for example.
//-------------------- CODE SNIPPET---------------------------------------- /* This pointer points to the beginning of the IP packet */ ip = (struct sniff_ip*)(packet + size_ethernet); /* This pointer points to the beginning of the TCP packet */ tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip); // The payload represents the application datad_ip_packet->payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);
/* Interesting portion of the IP header */d_ip_packet->src_ip_address = strcpy(d_ip_packet->src_ip_address,inet_ntoa(ip->ip_src));
strcat(d_ip_packet->src_ip_address,"\0");d_ip_packet->dst_ip_address = strcpy(d_ip_packet->dst_ip_address,inet_ntoa(ip->ip_dst));
strcat(d_ip_packet->src_ip_address,"\0");d_ip_packet->sequence_number = ntohl(tcp->th_seq); // BUG HERE! sequence number is not correct
//-------------------- END OF CODE SNIPPET----------------------------------------
Can anyone help me? Thx a lot for your attention Claudio - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Wrong tcp sequence numbers??? Claudio Lavecchia (Sep 21)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 21)
- Re: Wrong tcp sequence numbers??? ronnie sahlberg (Sep 21)
- Re: Wrong tcp sequence numbers??? Claudio Lavecchia (Sep 22)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 22)
- Re: Wrong tcp sequence numbers??? Guy Harris (Sep 22)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 21)