tcpdump mailing list archives
Re: Wrong tcp sequence numbers???
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 21 Sep 2004 10:38:27 -0400
Claudio Lavecchia wrote:
I am using a libpcap based packet dissector to sniff WLAN traffic: I read tcp packets using the structure: struct sniff_tcp { u_short th_sport; /* source port */ u_short th_dport; /* destination port */ tcp_seq th_seq; /* sequence number */ tcp_seq th_ack; /* acknowledgement number */
[snip] 1. What is the typedef for tcp_seq?
//u_int th_seq; /* sequence number *///u_int th_ack; /* acknowledgement number */
[snip]
but in my code when I try to read the tcp sequence numbers, I get very odd values of sequence number. Here follows the code snippet I use to read sequence number. The values I get do not correspond to the ones I read using ethereal, for example.
2. What do you mean by "odd"?
//-------------------- CODE SNIPPET---------------------------------------- /* This pointer points to the beginning of the IP packet */ ip = (struct sniff_ip*)(packet + size_ethernet); /* This pointer points to the beginning of the TCP packet */ tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);
3. How do you calculate size_ip?
// The payload represents the application datad_ip_packet->payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);/* Interesting portion of the IP header */d_ip_packet->src_ip_address = strcpy(d_ip_packet->src_ip_address,inet_ntoa(ip->ip_src));strcat(d_ip_packet->src_ip_address,"\0");
4. What are you trying to achieve here?
d_ip_packet->dst_ip_address = strcpy(d_ip_packet->dst_ip_address,inet_ntoa(ip->ip_dst));strcat(d_ip_packet->src_ip_address,"\0");
5. And here?
d_ip_packet->sequence_number = ntohl(tcp->th_seq); // BUG HERE! sequence number is not correct
6. Not correct, but how? Unrelated? Byte-swapped? Shifted? -- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Wrong tcp sequence numbers??? Claudio Lavecchia (Sep 21)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 21)
- Re: Wrong tcp sequence numbers??? ronnie sahlberg (Sep 21)
- Re: Wrong tcp sequence numbers??? Claudio Lavecchia (Sep 22)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 22)
- Re: Wrong tcp sequence numbers??? Guy Harris (Sep 22)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 21)