tcpdump mailing list archives

Re: tcp sequence and ack number with libpcap

From: ronnie sahlberg <ronniesahlberg () gmail com>
Date: Fri, 20 Aug 2010 10:16:24 +1000

The "relative" numbers are not part of the packet/protocol.

The absolute ones are what the actual packets contain.


To get relative numbers you would need some code.
You basically need to keep a list of every single tcp connection you
see, based on ip:port - ip:port.
First time you see a TCP packet for a conversation you have never seen
before, you create a record for this
tcp connection and store the sequence and acknowledge number.
(You use the ack number here as the "sequence number in the other direction".)
This list is then used to store the very first seq/ack number you have
ever seen for that tcp connection.


Later, every time you decode and print a seq/ack number, you look that
packets conversation up from the list,
then you grab the seq/ack numbers from the packet,   subtract the
"original" numbers from the list,
and print the difference.
I.e. instead of printing packet->sequence
you need to print packet->sequence -
list_of_all_tcp_connections(this_packet)->first_sequence_number.


Since you may have very many such coonversation in your
list_of_all_tcp_connections() you probably want to implement this
as a red-black tree or similar fast access type of data structure.


You also need some special handling for SYN packets, since these ONLY
contain a valid sequence number, but a random/garbage/uninitialized
ack number.







On Fri, Aug 20, 2010 at 9:15 AM, Andrej van der Zee
<andrejvanderzee () gmail com> wrote:

Hi,

 const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN

+ IP_HL(ip));

This is surely wrong.
The size of the IP header is IP_HL(ip)*4  not IP_HL(ip)

Thank you very much! Now I do get the same seq  and ack number for my app
and tcpdump -vv.

Though, unfortunately I turn out to need the relative sequence and ack
number. How do I get those?

Thank you,
Andrej
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Re: tcp sequence and ack number with libpcap, (continued)
- - - Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
    - Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap Rick Jones (Aug 19)
    - Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
    - Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
    - Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Luis MartinGarcia. (Aug 19)
  - Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)