On 08/19/2010 04:23 PM, Andrej van der Zee wrote:
> Hi,
>
> I am trying to get the TCP sequence and ack number of TCP packets. Somehow I
> get different values than "tcpdump -vv" does. The numbers are way too big
> all the time. Source and destination ports are just fine. Below the relevant
> code. I studied the tcpdump source code but can't find why. Please help, I
> am stuck!
>
> Thank you,
> Andrej
>
>
> #define ETHER_HDRLEN 14
>
> typedef u_int32_t tcp_seq;
>
> struct tcphdr {
> u_int16_t th_sport; /* source port */
> u_int16_t th_dport; /* destination port */
> tcp_seq th_seq; /* sequence number */
> tcp_seq th_ack; /* acknowledgement number */
> u_int8_t th_offx2; /* data offset, rsvd */
> u_int8_t th_flags;
> u_int16_t th_win; /* window */
> u_int16_t th_sum; /* checksum */
> u_int16_t th_urp; /* urgent pointer */
> };
>
> static void handle_packet(unsigned char * ifile, const struct pcap_pkthdr *
> h, const u_char * sp)
> {
> const struct ip * ip = (struct ip *) (sp + ETHER_HDRLEN);
> const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN
> + sizeof(struct iphdr));
>
> tcp_seq seq = htonl(tcp_hdr->th_seq);
> tcp_seq ack = htonl(tcp_hdr->th_ack);
>
> fprintf(stdout,"seq %u ack %u", seq, ack);
> }
>
>
Andrej,
I think you are performing your byte ordering conversion wrong. Seq and
Ack values are transmitted in network byte order so you need to perform
a "network to host long" conversion, and for that, you need to user
ntohl(), not htonl().
Regards,
Luis.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
