Re: tcp sequence and ack number with libpcap

[Andrej van der Zee <andrejvanderzee () gmail com>]

Hi,

Thanks for your replies.

Is there a simple way to get the relative numbers as well? My problem  
is that i am trying to match tcp packets on both ends of the  
conversation, ie from two pcap files captuered on two different hosts.  
I use the seq and ack numbers, among other fields, to do the matching.  
But somehow for two particulare tcpdump files the seq and ack never  
match in my program. Though, when i match packets manually with  
"tcpdump -vv" i can. So now i am hoping that a relative seq and ack  
number would solve my misunderstanding. Or is this silly?

Thank you,
Andrej




On 2010/08/19, at 23:48, Mark Bednarczyk <voytechs () yahoo com> wrote:

> Its probably because tcpdump reports seq/ack numbers as relative  
> from the start of that particular tcp stream and what you are  
> getting from the structure are raw/absolute numbers.
>
> The other  typical problem with reading the structure field is to  
> read it using little-endian byte encoding instead of big-endian  
> (network byte order), but I see you use htonl in your code which is  
> correct.
>
> Try -S option with tcpdump to get "absolute" numbers.
>
> Cheers,
> mark...
>
> --- On Thu, 8/19/10, Andrej van der Zee <andrejvanderzee () gmail com>  
> wrote:
>
> > From: Andrej van der Zee <andrejvanderzee () gmail com>
> > Subject: [tcpdump-workers] tcp sequence and ack number with libpcap
> > To: tcpdump-workers () lists tcpdump org
> > Date: Thursday, August 19, 2010, 9:23 AM
> > Hi,
> >
> > I am trying to get the TCP sequence and ack number of TCP
> > packets. Somehow I
> > get different values than "tcpdump -vv" does. The numbers
> > are way too big
> > all the time. Source and destination ports are just fine.
> > Below the relevant
> > code. I studied the tcpdump source code but can't find why.
> > Please help, I
> > am stuck!
> >
> > Thank you,
> > Andrej
> >
> >
> > #define ETHER_HDRLEN    14
> >
> > typedef u_int32_t tcp_seq;
> >
> > struct tcphdr {
> >   u_int16_t
> >    th_sport;
> >        /* source port */
> >   u_int16_t
> >    th_dport;
> >        /* destination port */
> >   tcp_seq
> >    th_seq;
> >        /* sequence number */
> >   tcp_seq
> >    th_ack;
> >        /* acknowledgement number
> > */
> >   u_int8_t        th_offx2;
> >              /* data
> > offset, rsvd */
> >   u_int8_t        th_flags;
> >   u_int16_t
> >    th_win;
> >        /* window */
> >   u_int16_t
> >    th_sum;
> >        /* checksum */
> >   u_int16_t
> >    th_urp;
> >        /* urgent pointer */
> > };
> >
> > static void handle_packet(unsigned char * ifile, const
> > struct pcap_pkthdr *
> > h, const u_char * sp)
> > {
> >   const struct ip * ip = (struct ip *) (sp +
> > ETHER_HDRLEN);
> >   const struct tcphdr * tcp_hdr = (const struct tcphdr
> > *)(sp + ETHER_HDRLEN
> > + sizeof(struct iphdr));
> >
> >   tcp_seq seq = htonl(tcp_hdr->th_seq);
> >   tcp_seq ack = htonl(tcp_hdr->th_ack);
> >
> >   fprintf(stdout,"seq %u ack %u", seq, ack);
> > }
> > -
> > This is the tcpdump-workers list.
> > Visit https://cod.sandelman.ca/ to unsubscribe.
>
>
>
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.