Re: Wrong tcp sequence numbers???

[Claudio Lavecchia <Claudio.Lavecchia () eurecom fr>]

Jefferson Ogata wrote:

> Claudio Lavecchia wrote:
>
> > I am using a libpcap based packet dissector to sniff WLAN traffic:
> >
> > I read tcp packets using the structure:
> >
> > struct sniff_tcp {
> >        u_short th_sport;                       /* source port */
> >        u_short th_dport;                       /* destination port */
> >        tcp_seq th_seq;                         /* sequence number */
> >        tcp_seq th_ack;                         /* acknowledgement 
> > number */
>
> [snip]
>
> 1. What is the typedef for tcp_seq?

Here follows the typedef

typedef    u_int32_t tcp_seq;

> >        //u_int th_seq;                           /* sequence number */
> >        //u_int th_ack;                           /* acknowledgement 
> > number */
>
> [snip]
>
> > but in my code when I try to read the tcp sequence numbers, I get 
> > very odd values of sequence number. Here follows the code snippet I 
> > use to read sequence number. The values I get do not correspond to 
> > the ones I read using ethereal, for example.
>
>
> 2. What do you mean by "odd"?

I mean that they are not the same that I can observe in Ethereal, 
moreover I mean that the same sequence number can appear a lot of times.

> > //-------------------- CODE 
> > SNIPPET----------------------------------------
> >        /* This pointer points to the beginning of the IP packet */
> >        ip = (struct sniff_ip*)(packet + size_ethernet);
> >        /* This pointer points to the beginning of the TCP packet */
> >        tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);
>
>
> 3. How do you calculate size_ip?


int size_ip = sizeof(struct sniff_ip);

Where struct sniff_ip is the structure used to decode IP packets in the 
packet dissectors based on libpcap available on the web (cfr. sniffer.c)

> >        // The payload represents the application data
> >        d_ip_packet->payload = (u_char *)(packet + size_ethernet + 
> > size_ip + size_tcp);
> >
> >        /* Interesting portion of the IP header */
> >        d_ip_packet->src_ip_address = 
> > strcpy(d_ip_packet->src_ip_address,inet_ntoa(ip->ip_src));
> >        strcat(d_ip_packet->src_ip_address,"\0");
>
>
> 4. What are you trying to achieve here?


I inspect  a packet at different ISO/OSI stack layers and copy some 
interesting information (such as MAC source and destination, IP source 
and destination and in the case of  a TCP packet the sequence number) 
into an utility structure that I  use later to process the packet

> >        d_ip_packet->dst_ip_address = 
> > strcpy(d_ip_packet->dst_ip_address,inet_ntoa(ip->ip_dst));
> >        strcat(d_ip_packet->src_ip_address,"\0");
>
>
> 5. And here?
>
> >        d_ip_packet->sequence_number = ntohl(tcp->th_seq); // BUG 
> > HERE! sequence number is not correct

Here I copy the TCP sequence number to my utility structure.

> 6. Not correct, but how? Unrelated? Byte-swapped? Shifted?
Well, I do not know how to answer to this question. What I can say is 
that a sequence number appears several times,  a repeating TCP sequence 
number that I got is for example 819974287

Thx claudio
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.