tcpdump mailing list archives
Re: tcp sequence and ack number with libpcap
From: Mark Bednarczyk <voytechs () yahoo com>
Date: Thu, 19 Aug 2010 07:48:48 -0700 (PDT)
Its probably because tcpdump reports seq/ack numbers as relative from the start of that particular tcp stream and what you are getting from the structure are raw/absolute numbers. The other typical problem with reading the structure field is to read it using little-endian byte encoding instead of big-endian (network byte order), but I see you use htonl in your code which is correct. Try -S option with tcpdump to get "absolute" numbers. Cheers, mark... --- On Thu, 8/19/10, Andrej van der Zee <andrejvanderzee () gmail com> wrote:
From: Andrej van der Zee <andrejvanderzee () gmail com>
Subject: [tcpdump-workers] tcp sequence and ack number with libpcap
To: tcpdump-workers () lists tcpdump org
Date: Thursday, August 19, 2010, 9:23 AM
Hi,
I am trying to get the TCP sequence and ack number of TCP
packets. Somehow I
get different values than "tcpdump -vv" does. The numbers
are way too big
all the time. Source and destination ports are just fine.
Below the relevant
code. I studied the tcpdump source code but can't find why.
Please help, I
am stuck!
Thank you,
Andrej
#define ETHER_HDRLEN 14
typedef u_int32_t tcp_seq;
struct tcphdr {
u_int16_t
th_sport;
/* source port */
u_int16_t
th_dport;
/* destination port */
tcp_seq
th_seq;
/* sequence number */
tcp_seq
th_ack;
/* acknowledgement number
*/
u_int8_t th_offx2;
/* data
offset, rsvd */
u_int8_t th_flags;
u_int16_t
th_win;
/* window */
u_int16_t
th_sum;
/* checksum */
u_int16_t
th_urp;
/* urgent pointer */
};
static void handle_packet(unsigned char * ifile, const
struct pcap_pkthdr *
h, const u_char * sp)
{
const struct ip * ip = (struct ip *) (sp +
ETHER_HDRLEN);
const struct tcphdr * tcp_hdr = (const struct tcphdr
*)(sp + ETHER_HDRLEN
+ sizeof(struct iphdr));
tcp_seq seq = htonl(tcp_hdr->th_seq);
tcp_seq ack = htonl(tcp_hdr->th_ack);
fprintf(stdout,"seq %u ack %u", seq, ack);
}
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Mark Bednarczyk (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Rick Jones (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Mark Bednarczyk (Aug 19)