Re: Wrong tcp sequence numbers???

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

Claudio Lavecchia wrote:
> Jefferson Ogata wrote:
> > Claudio Lavecchia wrote:
> >
> > > I am using a libpcap based packet dissector to sniff WLAN traffic:
> > >
> > > I read tcp packets using the structure:
> > >
> > > struct sniff_tcp {
> > >        u_short th_sport;                       /* source port */
> > >        u_short th_dport;                       /* destination port */
> > >        tcp_seq th_seq;                         /* sequence number */
> > >        tcp_seq th_ack;                         /* acknowledgement 
> > > number */
> > [snip]
> >
> > 1. What is the typedef for tcp_seq?
>
> Here follows the typedef
>
> typedef    u_int32_t tcp_seq;

Okay. I wouldn't use a typedef for that, personally, as it just means someone 
has to go find it when they read the code, and it will never change through 
protocol evolution.

> > >        //u_int th_seq;                           /* sequence number */
> > >        //u_int th_ack;                           /* acknowledgement 
> > > number */
> > [snip]
> >
> > > but in my code when I try to read the tcp sequence numbers, I get 
> > > very odd values of sequence number. Here follows the code snippet I 
> > > use to read sequence number. The values I get do not correspond to 
> > > the ones I read using ethereal, for example.
> >
> > 2. What do you mean by "odd"?
>
> I mean that they are not the same that I can observe in Ethereal, 
> moreover I mean that the same sequence number can appear a lot of times.

See below.

> > > //-------------------- CODE 
> > > SNIPPET----------------------------------------
> > >        /* This pointer points to the beginning of the IP packet */
> > >        ip = (struct sniff_ip*)(packet + size_ethernet);
> > >        /* This pointer points to the beginning of the TCP packet */
> > >        tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);
> >
> > 3. How do you calculate size_ip?
>
> int size_ip = sizeof(struct sniff_ip);
>
> Where struct sniff_ip is the structure used to decode IP packets in the 
> packet dissectors based on libpcap available on the web (cfr. sniffer.c)

Have you considered doing that correctly? I.e., size_ip = (ip_version_headerlen 
& 0xf) << 2?

Do values in the IP header match up, e.g. version, source IP, etc.?

> > >        // The payload represents the application data
> > >        d_ip_packet->payload = (u_char *)(packet + size_ethernet + 
> > > size_ip + size_tcp);
> > >
> > >        /* Interesting portion of the IP header */
> > >        d_ip_packet->src_ip_address = 
> > > strcpy(d_ip_packet->src_ip_address,inet_ntoa(ip->ip_src));
> > >        strcat(d_ip_packet->src_ip_address,"\0");
> >
> > 4. What are you trying to achieve here?
>
> I inspect  a packet at different ISO/OSI stack layers and copy some 
> interesting information (such as MAC source and destination, IP source 
> and destination and in the case of  a TCP packet the sequence number) 
> into an utility structure that I  use later to process the packet

I was referring to strcating a null string onto an existing string. That's a 
null operation.

> > >        d_ip_packet->dst_ip_address = 
> > > strcpy(d_ip_packet->dst_ip_address,inet_ntoa(ip->ip_dst));
> > >        strcat(d_ip_packet->src_ip_address,"\0");
> >
> > 5. And here?
> >
> > >        d_ip_packet->sequence_number = ntohl(tcp->th_seq); // BUG 
> > > HERE! sequence number is not correct
>
> Here I copy the TCP sequence number to my utility structure.

Another null strcat, this time using what appears to be the wrong destination field.

> > 6. Not correct, but how? Unrelated? Byte-swapped? Shifted?
> Well, I do not know how to answer to this question. What I can say is 
> that a sequence number appears several times,  a repeating TCP sequence 
> number that I got is for example 819974287

Look at the value in hex, in this case 30DFD08F. Now load the same packet in 
ethereal and look at the packet data in the bottom pane. See if you see those 
bytes, or their reversal. If so, locate the corresponding fields in the 
structural view. If you can do that you'll have some orientation and you can 
figure out where you're off.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.