Databases
StackOverflow2013
Postsdbo
POTcpdump: Sequence and acknowledgement number mismatch with libpcap
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POTcpdump: Sequence and acknowledgement number mismatch with libpcap
    text
    copied!<p>I am writing an app where I am printing TCP sequence and ack numbers. I ran tcpdump on the same box and the numbers do not match. Here is my code, all headers and structures are from <a href="http://www.google.com/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=1&amp;cad=rja&amp;ved=0CCIQFjAA&amp;url=http://www.tcpdump.org/sniffex.c&amp;ei=3_toUKOUK4XA9gTQ4oHoBA&amp;usg=AFQjCNG06vPZLcb_gnMas5sM1m7uu5K53A&amp;sig2=pdfscbubzfUEDSZdGEuwcQ" rel="nofollow">sniffex.c</a></p> <pre><code>void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { static int count = 1; /* packet counter */ /* declare pointers to packet headers */ const struct sniff_ethernet *ethernet; /* The ethernet header [1] */ const struct sniff_ip *ip; /* The IP header */ const struct sniff_tcp *tcp; /* The TCP header */ int size_ip; int size_tcp; int size_payload; count++; /* define ethernet header */ ethernet = (struct sniff_ethernet*)(packet); /* define/compute ip header offset */ ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; if (size_ip &lt; 20) { printf(" * Invalid IP header length: %u bytes\n", size_ip); return; } /* determine protocol */ switch(ip-&gt;ip_p) { case IPPROTO_TCP: printf(" Protocol: TCP\n"); break; case IPPROTO_UDP: printf(" Protocol: UDP\n"); return; case IPPROTO_ICMP: printf(" Protocol: ICMP\n"); return; case IPPROTO_IP: printf(" Protocol: IP\n"); return; default: printf(" Protocol: unknown\n"); return; } /* define/compute tcp header offset */ tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; if (size_tcp &lt; 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } std::cout &lt;&lt; "Packet# " &lt;&lt; count &lt;&lt; " S " &lt;&lt; tcp-&gt;th_seq &lt;&lt; " A " &lt;&lt; tcp-&gt;th_ack &lt;&lt; "\n"; } </code></pre> <p>And this prints:</p> <pre><code>Packet# 2 S 1063936835 A 1371648504 Packet# 3 S 1080714051 A 1975693816 Packet# 4 S 1080714051 A 1975693816 Packet# 5 S 141321027 A 2730734072 Packet# 6 S 2960220995 A 2730734072 Packet# 7 S 1484219203 A 2730734072 Packet# 8 S 8217411 A 2730734072 Packet# 9 S 2827117379 A 2730734072 Packet# 10 S 1351115587 A 2730734072 </code></pre> <p>I ran tcpdump to record a pcap file as:</p> <pre><code># sudo tcpdump -n -i eth0 -S -n -w cache.cap 'tcp and src port 80' </code></pre> <p>And then inspected it with</p> <pre><code># sudo tcpdump -S -ttttnnr cache.cap reading from file cache.cap, link-type EN10MB (Ethernet) 2012-09-30 18:52:58.110398 IP 192.168.122.11.80 &gt; 192.168.122.22.7001: Flags [S.], seq 1130588735, ack 4172398929, win 14480, options [mss 1460,sackOK,TS val 71597136 ecr 71595534,nop,wscale 3], length 0 2012-09-30 18:52:58.110925 IP 192.168.122.11.80 &gt; 192.168.122.22.7001: Flags [.], ack 4172399221, win 1944, options [nop,nop,TS val 71597136 ecr 71595534], length 0 2012-09-30 18:52:58.116146 IP 192.168.122.11.80 &gt; 192.168.122.22.7001: Flags [P.], seq 1130588736:1130589192, ack 4172399221, win 1944, options [nop,nop,TS val 71597137 ecr 71595534], length 456 2012-09-30 18:52:58.173321 IP 192.168.122.11.80 &gt; 192.168.122.22.7001: Flags [.], seq 1130589192:1130590640, ack 4172399522, win 2078, options [nop,nop,TS val 71597152 ecr 71595549], length 1448 2012-09-30 18:52:58.173388 IP 192.168.122.11.80 &gt; 192.168.122.22.7001: Flags [.], seq 1130590640:1130592088, ack 4172399522, win 2078, options [nop,nop,TS val 71597152 ecr 71595549], length 1448 2012-09-30 18:52:58.173517 IP 192.168.122.11.80 &gt; 192.168.122.22.7001: Flags [.], seq 1130592088:1130593536, ack 4172399522, win 2078, options [nop,nop,TS val 71597152 ecr 71595549], length 1448 2012-09-30 18:52:58.173583 IP 192.168.122.11.80 &gt; 192.168.122.22.7001: Flags [.], seq 1130593536:1130594984, ack 4172399522, win 2078, options [nop,nop,TS val 71597152 ecr 71595549], length 1448 2012-09-30 18:52:58.173620 IP 192.168.122.11.80 &gt; 192.168.122.22.7001: Flags [.], seq 1130594984:1130596432, ack 4172399522, win 2078, options [nop,nop,TS val 71597152 ecr 71595549], length 1448 2012-09-30 18:52:58.173656 IP 192.168.122.11.80 &gt; 192.168.122.22.7001: Flags [.], seq 1130596432:1130597880, ack 4172399522, win 2078, options [nop,nop,TS val 71597152 ecr 71595549], length 1448 </code></pre> <p>The sequence and ack numbers do not match. What am I missing here?</p> <p>In my application, the filter is same 'tcp and src port 80'</p> <p><strong>EDIT</strong> I changed </p> <pre><code>std::cout &lt;&lt; "Packet# " &lt;&lt; count &lt;&lt; " S " &lt;&lt; tcp-&gt;th_seq &lt;&lt; " A " &lt;&lt; tcp-&gt;th_ack &lt;&lt; "\n"; </code></pre> <p>to</p> <pre><code> std::cout &lt;&lt; "Packet# " &lt;&lt; count &lt;&lt; " S " &lt;&lt; ntohl(tcp-&gt;th_seq) &lt;&lt; " A " &lt;&lt; ntohl(tcp-&gt;th_ack) &lt;&lt; "\n"; </code></pre> <p>Now the output is</p> <pre><code>Packet# 2 S 1384921720 A 3111642711 Packet# 3 S 1384921721 A 3111643003 Packet# 4 S 1384921721 A 3111643003 Packet# 5 S 1384922177 A 3111643304 Packet# 6 S 1384923625 A 3111643304 Packet# 7 S 1384925073 A 3111643304 Packet# 8 S 1384926521 A 3111643304 Packet# 9 S 1384927969 A 3111643304 Packet# 10 S 1384929417 A 3111643304 </code></pre> <p>Still does not match</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload