Re: tcp sequence and ack number with libpcap

["Luis MartinGarcia." <luis.mgarc () gmail com>]

On 08/19/2010 04:23 PM, Andrej van der Zee wrote:
> Hi,
>
> I am trying to get the TCP sequence and ack number of TCP packets. Somehow I
> get different values than "tcpdump -vv" does. The numbers are way too big
> all the time. Source and destination ports are just fine. Below the relevant
> code. I studied the tcpdump source code but can't find why. Please help, I
> am stuck!
>
> Thank you,
> Andrej
>
>
> #define ETHER_HDRLEN    14
>
> typedef u_int32_t tcp_seq;
>
> struct tcphdr {
>   u_int16_t       th_sport;               /* source port */
>   u_int16_t       th_dport;               /* destination port */
>   tcp_seq         th_seq;                 /* sequence number */
>   tcp_seq         th_ack;                 /* acknowledgement number */
>   u_int8_t        th_offx2;               /* data offset, rsvd */
>   u_int8_t        th_flags;
>   u_int16_t       th_win;                 /* window */
>   u_int16_t       th_sum;                 /* checksum */
>   u_int16_t       th_urp;                 /* urgent pointer */
> };
>
> static void handle_packet(unsigned char * ifile, const struct pcap_pkthdr *
> h, const u_char * sp)
> {
>   const struct ip * ip = (struct ip *) (sp + ETHER_HDRLEN);
>   const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN
> + sizeof(struct iphdr));
>
>   tcp_seq seq = htonl(tcp_hdr->th_seq);
>   tcp_seq ack = htonl(tcp_hdr->th_ack);
>
>   fprintf(stdout,"seq %u ack %u", seq, ack);
> }
>
>   

Andrej,

I think you are performing your byte ordering conversion wrong. Seq and
Ack values are transmitted in network byte order so you need to perform
a "network to host long" conversion, and for that, you need to user
ntohl(), not htonl().

Regards,

Luis.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.