tcphdr structure byteorder

peradox · 04-17-2005, 10:59 PM

Ok, I've been learning some raw sockets, which involved learning about the tcphdr, etc structures; Now I have found out that when I try to extract the port numbers (the source and dest fields) from the TCP header structure, I need to use ntohs() to get correct numbers. If it makes any difference, I'm using the non-BSD version (#ifndef __FAVOR_BSD)

However, when I compare my sniffer with tcpdump, tcpdump gets different sequence and acknowledgement numbers than my sniffer. Now to the question:
Do I need to use ntohs() on the other fields? (I am assuming no, because all the other fields are declared outside of the Pre-Processor if-else sequence relating to the endian)

Or maybe is it normal that I get different seq and ack numbers than tcpdump; because I have tried with both ntohs() and without, and have gotten different numbers anyway. (Yes, I used the -S option on tcpdump).

And also, If I am totally out in the blue, could someone give me a shove in the right direction?

Thanks!!!

bithub · 04-17-2005, 11:43 PM

Quote:

However, when I compare my sniffer with tcpdump, tcpdump gets different sequence and acknowledgement numbers than my sniffer. Now to the question:

Pass -S to tcpdump to get absolute instead of relative sequence numbers.

peradox · 04-18-2005, 04:35 PM

Quote:

Originally Posted by peradox

(Yes, I used the -S option on tcpdump).

So yah...

bithub · 04-18-2005, 08:58 PM

oops, somehow I missed that. Are your sequence numbers correct in their incrementation, or are they off? Do they match the ACK numbers?

peradox · 04-20-2005, 08:34 PM

Yes, they are correct, as they match the ACK numbers, etc...
They are just not the same as tcpdump...
I'm going to try how it is with ethereal...

bithub · 04-20-2005, 09:56 PM

ethereal uses the same packet capture library as tcpdump, so the results should be the same.

Xipher · 04-27-2005, 12:09 PM

With network packets, every thing but the data itself (and sometimes even then, depends on the applications protocol) is in network (big endian I believe) byte order, so yes, you do need to use the network to host calls. Now on some archetectures, its not required, since they already use that format, but its better to use them any ways, so your program can be compiled on other archs with less hassle. So IP header, TCP header, UDP, SCTP, all should have thier sections in network byte order.

04-17-2005, 10:59 PM	#1
peradox Registered User Join Date: Feb 2005 Posts: 23	tcphdr structure byteorder Ok, I've been learning some raw sockets, which involved learning about the tcphdr, etc structures; Now I have found out that when I try to extract the port numbers (the source and dest fields) from the TCP header structure, I need to use ntohs() to get correct numbers. If it makes any difference, I'm using the non-BSD version (#ifndef __FAVOR_BSD) However, when I compare my sniffer with tcpdump, tcpdump gets different sequence and acknowledgement numbers than my sniffer. Now to the question: Do I need to use ntohs() on the other fields? (I am assuming no, because all the other fields are declared outside of the Pre-Processor if-else sequence relating to the endian) Or maybe is it normal that I get different seq and ack numbers than tcpdump; because I have tried with both ntohs() and without, and have gotten different numbers anyway. (Yes, I used the -S option on tcpdump). And also, If I am totally out in the blue, could someone give me a shove in the right direction? Thanks!!!
peradox is offline

04-18-2005, 08:58 PM	#4
bithub Registered User Join Date: Sep 2004 Location: California Posts: 3,020	oops, somehow I missed that. Are your sequence numbers correct in their incrementation, or are they off? Do they match the ACK numbers?
bithub is offline

04-20-2005, 08:34 PM	#5
peradox Registered User Join Date: Feb 2005 Posts: 23	Yes, they are correct, as they match the ACK numbers, etc... They are just not the same as tcpdump... I'm going to try how it is with ethereal...
peradox is offline

04-20-2005, 09:56 PM	#6
bithub Registered User Join Date: Sep 2004 Location: California Posts: 3,020	ethereal uses the same packet capture library as tcpdump, so the results should be the same.
bithub is offline

04-27-2005, 12:09 PM	#7
Xipher Registered User Join Date: Sep 2004 Posts: 197	With network packets, every thing but the data itself (and sometimes even then, depends on the applications protocol) is in network (big endian I believe) byte order, so yes, you do need to use the network to host calls. Now on some archetectures, its not required, since they already use that format, but its better to use them any ways, so your program can be compiled on other archs with less hassle. So IP header, TCP header, UDP, SCTP, all should have thier sections in network byte order. __________________ If any part of my post is incorrect, please correct me. This post is not guarantied to be correct, and is not to be taken as a matter of fact, but of opinion or a guess, unless otherwise noted.
Xipher is offline

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Problem referencing structure elements by pointer	trillianjedi	C Programming	19	06-13-2008 05:46 PM
How to call a function several times, but with a different structure as argument?	mabuhay	C Programming	5	02-14-2006 09:04 AM
Dikumud	maxorator	C++ Programming	1	10-01-2005 06:39 AM
Serial Communications in C	ExDigit	Windows Programming	7	01-09-2002 10:52 AM
C structure within structure problem, need help	Unregistered	C Programming	5	11-30-2001 05:48 PM