tcpdump mailing list archives
Re: tcp sequence and ack number with libpcap
From: ronnie sahlberg <ronniesahlberg () gmail com>
Date: Fri, 20 Aug 2010 08:56:06 +1000
const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN + IP_HL(ip)); This is surely wrong. The size of the IP header is IP_HL(ip)*4 not IP_HL(ip) On Fri, Aug 20, 2010 at 7:29 AM, Andrej van der Zee <andrejvanderzee () gmail com> wrote:
Hi,static void handle_packet(unsigned char * ifile, const struct pcap_pkthdr * h, const u_char * sp) { const struct ip * ip = (struct ip *) (sp + ETHER_HDRLEN); const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN + sizeof(struct iphdr));You are assuming that the IP header length is constant (sizeof(struct iphdr)), but it's not. You need to get the IP header length from the the IP header itself.Source port and dest number seem to be ok, so I guess this is not the problem. Nevertheless, I tried the code below but it does not make a difference. Why do I get those weird seq and ack numbers? I am really stuck... Thanks, Andrej struct ip { u_int8_t ip_vhl; /* header length, version */ #define IP_V(ip) (((ip)->ip_vhl & 0xf0) >> 4) #define IP_HL(ip) ((ip)->ip_vhl & 0x0f) u_int8_t ip_tos; /* type of service */ u_int16_t ip_len; /* total length */ u_int16_t ip_id; /* identification */ u_int16_t ip_off; /* fragment offset field */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */ #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ u_int8_t ip_ttl; /* time to live */ u_int8_t ip_p; /* protocol */ u_int16_t ip_sum; /* checksum */ struct in_addr ip_src,ip_dst; /* source and dest address */ }; static void handle_packet(unsigned char * ifile, const struct pcap_pkthdr * h, const u_char * sp) { const struct ip * ip = (struct ip *) (sp + ETHER_HDRLEN); const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN + IP_HL(ip)); tcp_seq seq = ntohl(tcp_hdr->th_seq); tcp_seq ack = ntohl(tcp_hdr->th_ack); fprintf(stdout,"seq %u ack %u", seq, ack); } - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: tcp sequence and ack number with libpcap, (continued)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Rick Jones (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)