tcpdump mailing list archives
Re: Wrong tcp sequence numbers???
From: Claudio Lavecchia <Claudio.Lavecchia () eurecom fr>
Date: Wed, 22 Sep 2004 14:02:28 +0200
Jefferson Ogata wrote:
Claudio Lavecchia wrote:I am using a libpcap based packet dissector to sniff WLAN traffic: I read tcp packets using the structure: struct sniff_tcp { u_short th_sport; /* source port */ u_short th_dport; /* destination port */ tcp_seq th_seq; /* sequence number */tcp_seq th_ack; /* acknowledgement number */[snip] 1. What is the typedef for tcp_seq?
Here follows the typedef typedef u_int32_t tcp_seq;
//u_int th_seq; /* sequence number *///u_int th_ack; /* acknowledgement number */[snip]but in my code when I try to read the tcp sequence numbers, I get very odd values of sequence number. Here follows the code snippet I use to read sequence number. The values I get do not correspond to the ones I read using ethereal, for example.2. What do you mean by "odd"?
I mean that they are not the same that I can observe in Ethereal, moreover I mean that the same sequence number can appear a lot of times.
//-------------------- CODE SNIPPET----------------------------------------/* This pointer points to the beginning of the IP packet */ ip = (struct sniff_ip*)(packet + size_ethernet); /* This pointer points to the beginning of the TCP packet */ tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);3. How do you calculate size_ip?
int size_ip = sizeof(struct sniff_ip);Where struct sniff_ip is the structure used to decode IP packets in the packet dissectors based on libpcap available on the web (cfr. sniffer.c)
// The payload represents the application datad_ip_packet->payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);/* Interesting portion of the IP header */d_ip_packet->src_ip_address = strcpy(d_ip_packet->src_ip_address,inet_ntoa(ip->ip_src));strcat(d_ip_packet->src_ip_address,"\0");4. What are you trying to achieve here?
I inspect a packet at different ISO/OSI stack layers and copy some interesting information (such as MAC source and destination, IP source and destination and in the case of a TCP packet the sequence number) into an utility structure that I use later to process the packet
d_ip_packet->dst_ip_address = strcpy(d_ip_packet->dst_ip_address,inet_ntoa(ip->ip_dst));strcat(d_ip_packet->src_ip_address,"\0");5. And here?d_ip_packet->sequence_number = ntohl(tcp->th_seq); // BUG HERE! sequence number is not correct
Here I copy the TCP sequence number to my utility structure.
Well, I do not know how to answer to this question. What I can say is that a sequence number appears several times, a repeating TCP sequence number that I got is for example 8199742876. Not correct, but how? Unrelated? Byte-swapped? Shifted?
Thx claudio - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Wrong tcp sequence numbers??? Claudio Lavecchia (Sep 21)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 21)
- Re: Wrong tcp sequence numbers??? ronnie sahlberg (Sep 21)
- Re: Wrong tcp sequence numbers??? Claudio Lavecchia (Sep 22)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 22)
- Re: Wrong tcp sequence numbers??? Guy Harris (Sep 22)
- Re: Wrong tcp sequence numbers??? Jefferson Ogata (Sep 21)