tcpdump mailing list archives
Wrong tcp sequence numbers???
From: Claudio Lavecchia <Claudio.Lavecchia () eurecom fr>
Date: Tue, 21 Sep 2004 12:26:56 +0200
Hello ppl,
I got a quite easy question for you guys:
I am using a libpcap based packet dissector to sniff WLAN traffic:
I read tcp packets using the structure:
struct sniff_tcp {
u_short th_sport; /* source port */
u_short th_dport; /* destination port */
tcp_seq th_seq; /* sequence number */
tcp_seq th_ack; /* acknowledgement number */
//u_int th_seq; /* sequence number */
//u_int th_ack; /* acknowledgement
number */
#if BYTE_ORDER == LITTLE_ENDIAN
u_int th_x2:4, /* (unused) */
th_off:4; /* data offset */
#endif
#if BYTE_ORDER == BIG_ENDIAN
u_int th_off:4, /* data offset */
th_x2:4; /* (unused) */
#endif
u_char th_flags;
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20
#define TH_ECE 0x40
#define TH_CWR 0x80
#define TH_FLAGS
(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
u_short th_win; /* window */
u_short th_sum; /* checksum */
u_short th_urp; /* urgent pointer */
};
but in my code when I try to read the tcp sequence numbers, I get very
odd values of sequence number. Here follows the code snippet I use to
read sequence number. The values I get do not correspond to the ones I
read using ethereal, for example.
//-------------------- CODE SNIPPET----------------------------------------
/* This pointer points to the beginning of the IP packet */
ip = (struct sniff_ip*)(packet + size_ethernet);
/* This pointer points to the beginning of the TCP packet */
tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);
// The payload represents the application data
d_ip_packet->payload = (u_char *)(packet + size_ethernet +
size_ip + size_tcp);
/* Interesting portion of the IP header */
d_ip_packet->src_ip_address =
strcpy(d_ip_packet->src_ip_address,inet_ntoa(ip->ip_src));
strcat(d_ip_packet->src_ip_address,"\0");
d_ip_packet->dst_ip_address =
strcpy(d_ip_packet->dst_ip_address,inet_ntoa(ip->ip_dst));
strcat(d_ip_packet->src_ip_address,"\0");
d_ip_packet->sequence_number = ntohl(tcp->th_seq); // BUG HERE!
sequence number is not correct
//-------------------- END OF CODE SNIPPET----------------------------------------
Can anyone help me? Thx a lot for your attention Claudio - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Wrong tcp sequence numbers??? Claudio Lavecchia (Sep 21)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 21)
- Re: Wrong tcp sequence numbers??? ronnie sahlberg (Sep 21)
- Re: Wrong tcp sequence numbers??? Claudio Lavecchia (Sep 22)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 22)
- Re: Wrong tcp sequence numbers??? Guy Harris (Sep 22)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 21)