Using libpcap, getting different results if compared to TCPDUMP

[poornaMoksha]

Hi,

I am using pcap library to sniff traffic. I am a newbie to network programming but still I managed to get a demo code working. Here is the function which is doing the actual logic :

Code:

/* callback function that is passed to pcap_loop(..) and called each time a packet is recieved */
void callback(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char*
        packet)
{

  struct ether_header *ethheader;
  struct iphdr *ipheader;
  struct tcphdr *tcpheader;
  struct in_addr source, dest;

  //Points to ethernet header ** Will this header be constant for any type of connection??
  ethheader = (struct ether_header *)packet;
  //Points to IP header ** But how do we know IP is being used??
  ipheader = (struct iphdr *)(packet + sizeof(struct ether_header));
  //Points to TCP header ** But how do we know that TCP is being used?? could be UDP too...
  tcpheader = (struct tcphdr *)(packet + sizeof(struct ether_header) + sizeof(struct iphdr));

  //Points to the TCP Payload 
  const char *payload = (u_char *)(packet + sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr));

  source.s_addr = ipheader->saddr;
  dest.s_addr = ipheader->daddr;

  printf("From: %s:%i\n", inet_ntoa(source), ntohs(tcpheader->source));
  printf("To: %s:%i\n", inet_ntoa(dest), ntohs(tcpheader->dest));
  printf("Seq num: %u\n", ntohl(tcpheader->seq));

  printf("length Transport payload: %lu\n", pkthdr->len - (sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr)));
  printf("length of this packet (off wire): %d\n\n\n", pkthdr->len);

}

The problem here is, when I start both my program and TCPDUMP and open a website suppose 'google.com', then the IP addresses that are spit out by my program and that by TCPDUMP are different. For example the first few packets that I get from my TCPDUMP are :

Code:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
07:48:38.116354 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [P.], seq 694114432:694115363, ack 3682572338, win 63, options [nop,nop,TS val 521038 ecr 1670476261], length 931
07:48:38.116948 IP 115.241.128.67.47356 > 202.138.97.193.domain: 60501+ PTR? 51.236.125.74.in-addr.arpa. (44)
07:48:38.769817 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [P.], seq 0:931, ack 1, win 63, options [nop,nop,TS val 521104 ecr 1670476261], length 931
07:48:38.839851 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], ack 931, win 210, options [nop,nop,TS val 1670554629 ecr 521038], length 0
07:48:38.867778 IP 202.138.97.193.domain > 115.241.128.67.47356: 60501 NXDomain 0/1/0 (104)
07:48:38.909909 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], seq 1:1419, ack 931, win 210, options [nop,nop,TS val 1670554700 ecr 521038], length 1418
07:48:38.909936 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 1419, win 85, options [nop,nop,TS val 521118 ecr 1670554700], length 0
07:48:38.909954 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], seq 1419:2837, ack 931, win 210, options [nop,nop,TS val 1670554700 ecr 521038], length 1418
07:48:38.909960 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 2837, win 108, options [nop,nop,TS val 521118 ecr 1670554700], length 0
07:48:38.909970 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [P.], seq 2837:3685, ack 931, win 210, options [nop,nop,TS val 1670554700 ecr 521038], length 848
07:48:38.909979 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 3685, win 130, options [nop,nop,TS val 521118 ecr 1670554700], length 0
07:48:38.909987 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], seq 3685:5103, ack 931, win 210, options [nop,nop,TS val 1670554700 ecr 521038], length 1418
07:48:38.909992 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 5103, win 153, options [nop,nop,TS val 521118 ecr 1670554700], length 0
07:48:38.919885 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], seq 5103:6521, ack 931, win 210, options [nop,nop,TS val 1670554700 ecr 521038], length 1418
07:48:38.919910 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 6521, win 176, options [nop,nop,TS val 521119 ecr 1670554700], length 0
07:48:38.919933 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [P.], seq 6521:7781, ack 931, win 210, options [nop,nop,TS val 1670554700 ecr 521038], length 1260
07:48:38.919939 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 7781, win 198, options [nop,nop,TS val 521119 ecr 1670554700], length 0
07:48:39.089842 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], ack 931, win 210, options [nop,nop,TS val 1670554889 ecr 521104,nop,nop,sack 1 {0:931}], length 0
07:48:39.129870 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], seq 7781:9199, ack 931, win 210, options [nop,nop,TS val 1670554943 ecr 521118], length 1418
07:48:39.129891 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 9199, win 220, options [nop,nop,TS val 521140 ecr 1670554943], length 0
07:48:39.129907 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], seq 9199:10617, ack 931, win 210, options [nop,nop,TS val 1670554943 ecr 521118], length 1418
07:48:39.129913 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 10617, win 243, options [nop,nop,TS val 521140 ecr 1670554943], length 0
07:48:39.149886 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], seq 10617:12035, ack 931, win 210, options [nop,nop,TS val 1670554943 ecr 521118], length 1418
07:48:39.149910 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 12035, win 266, options [nop,nop,TS val 521142 ecr 1670554943], length 0
07:48:39.149927 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], seq 12035:13453, ack 931, win 210, options [nop,nop,TS val 1670554943 ecr 521118], length 1418
07:48:39.149934 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 13453, win 288, options [nop,nop,TS val 521142 ecr 1670554943], length 0
07:48:39.159877 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], seq 13453:14871, ack 931, win 210, options [nop,nop,TS val 1670554949 ecr 521118], length 1418
07:48:39.159901 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 14871, win 311, options [nop,nop,TS val 521143 ecr 1670554949], length 0
07:48:39.159918 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [P.], seq 14871:16249, ack 931, win 210, options [nop,nop,TS val 1670554949 ecr 521118], length 1378
07:48:39.159924 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 16249, win 333, options [nop,nop,TS val 521143 ecr 1670554949], length 0
07:48:39.259776 IP 115.241.128.67.59324 > 202.138.97.193.domain: 65226+ AAAA? google.com. (28)
07:48:39.369845 IP 202.138.97.193.domain > 115.241.128.67.59324: 65226 0/1/0 (78)
07:48:39.369955 IP 115.241.128.67.39995 > 202.138.97.193.domain: 44179+ AAAA? google.com. (28)
07:48:39.430093 IP 115.241.128.67.32813 > 74.125.236.51.www: Flags [P.], seq 687814410:687815506, ack 3653235322, win 501, options [nop,nop,TS val 521170 ecr 1670476295], length 1096
07:48:39.482234 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [P.], seq 931:2221, ack 16249, win 333, options [nop,nop,TS val 521175 ecr 1670554949], length 1290
07:48:39.489840 IP 202.138.97.193.domain > 115.241.128.67.39995: 44179 0/1/0 (78)
07:48:39.489962 IP 115.241.128.67.37470 > 202.138.97.193.domain: 12909+ A? google.com. (28)
07:48:39.759821 IP 74.125.236.51.www > 115.241.128.67.32813: Flags [.], ack 1096, win 267, options [nop,nop,TS val 1670555536 ecr 521170], length 0
07:48:39.789817 IP 202.138.97.193.domain > 115.241.128.67.37470: 12909 5/4/4 A 74.125.236.49,[|domain]
07:48:39.789827 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [.], ack 2221, win 250, options [nop,nop,TS val 1670555618 ecr 521175], length 0
07:48:39.790047 IP 115.241.128.67.40701 > 74.125.236.49.www: Flags [S], seq 2929756677, win 5840, options [mss 1460,sackOK,TS val 521206 ecr 0,nop,wscale 7], length 0
07:48:39.849815 IP 74.125.236.51.www > 115.241.128.67.32814: Flags [P.], seq 16249:16464, ack 2221, win 250, options [nop,nop,TS val 1670555704 ecr 521175], length 215
07:48:39.849825 IP 115.241.128.67.32814 > 74.125.236.51.www: Flags [.], ack 16464, win 356, options [nop,nop,TS val 521212 ecr 1670555704], length 0
07:48:39.859828 IP 74.125.236.51.www > 115.241.128.67.32813: Flags [P.], seq 1:147, ack 1096, win 267, options [nop,nop,TS val 1670555722 ecr 521170], length 146
07:48:39.859848 IP 115.241.128.67.32813 > 74.125.236.51.www: Flags [.], ack 147, win 501, options [nop,nop,TS val 521213 ecr 1670555722], length 0
07:48:39.949835 IP 74.125.236.49.www > 115.241.128.67.40701: Flags [S.], seq 1590680668, ack 2929756678, win 5672, options [mss 1430,sackOK,TS val 1670555824 ecr 521206,nop,wscale 6], length 0
07:48:39.949867 IP 115.241.128.67.40701 > 74.125.236.49.www: Flags [.], ack 1, win 46, options [nop,nop,TS val 521222 ecr 1670555824], length 0
07:48:39.949973 IP 115.241.128.67.40701 > 74.125.236.49.www: Flags [P.], seq 1:69, ack 1, win 46, options [nop,nop,TS val 521222 ecr 1670555824], length 68
07:48:40.089836 IP 74.125.236.49.www > 115.241.128.67.40701: Flags [.], ack 69, win 89, options [nop,nop,TS val 1670555983 ecr 521222], length 0
07:48:40.119826 IP 74.125.236.49.www > 115.241.128.67.40701: Flags [P.], seq 1:512, ack 69, win 89, options [nop,nop,TS val 1670556024 ecr 521222], length 511
07:48:40.119864 IP 115.241.128.67.40701 > 74.125.236.49.www: Flags [.], ack 512, win 54, options [nop,nop,TS val 521239 ecr 1670556024], length 0
07:48:40.129833 IP 74.125.236.49.www > 115.241.128.67.40701: Flags [F.], seq 512, ack 69, win 89, options [nop,nop,TS val 1670556024 ecr 521222], length 0
07:48:40.129968 IP 115.241.128.67.40701 > 74.125.236.49.www: Flags [F.], seq 69, ack 513, win 54, options [nop,nop,TS val 521240 ecr 1670556024], length 0
07:48:40.130387 IP 115.241.128.67.55976 > 202.138.97.193.domain: 22249+ AAAA? Google. (32)
07:48:40.269828 IP 74.125.236.49.www > 115.241.128.67.40701: Flags [.], ack 70, win 89, options [nop,nop,TS val 1670556163 ecr 521240], length 0
07:48:40.289835 IP 202.138.97.193.domain > 115.241.128.67.55976: 22249 1/1/0 CNAME[|domain]
07:48:40.289946 IP 115.241.128.67.46537 > 202.138.97.193.domain: 15996+ A? Google. (32)
07:48:40.399838 IP 202.138.97.193.domain > 115.241.128.67.46537: 15996 6/4/4 CNAME[|domain]
07:48:40.400078 IP 115.241.128.67.41252 > 74.125.236.50.www: Flags [S], seq 2926797497, win 5840, options [mss 1460,sackOK,TS val 521267 ecr 0,nop,wscale 7], length 0

While from my program I get:

Code:

From: 24.63.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 945
length of this packet (off wire): 999


From: 38.214.115.241:25025
To: 128.67.202.138:47356
Seq num: 3473460
length Transport payload: 34
length of this packet (off wire): 88


From: 24.62.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 945
length of this packet (off wire): 999


From: 230.57.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 14
length of this packet (off wire): 68


From: 162.163.202.138:32835
To: 97.193.115.241:53
Seq num: 3103522928
length Transport payload: 94
length of this packet (off wire): 148


From: 224.174.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1432
length of this packet (off wire): 1486


From: 27.224.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 224.173.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1432
length of this packet (off wire): 1486


From: 27.223.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 226.230.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 862
length of this packet (off wire): 916


From: 27.222.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 224.171.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1432
length of this packet (off wire): 1486


From: 27.221.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 224.170.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1432
length of this packet (off wire): 1486


From: 27.220.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 225.71.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1274
length of this packet (off wire): 1328


From: 27.219.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 230.38.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 26
length of this packet (off wire): 80


From: 224.167.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1432
length of this packet (off wire): 1486


From: 27.218.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 224.166.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1432
length of this packet (off wire): 1486


From: 27.217.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 224.165.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1432
length of this packet (off wire): 1486


From: 27.216.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 224.164.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1432
length of this packet (off wire): 1486


From: 27.215.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 224.163.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1432
length of this packet (off wire): 1486


From: 27.214.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 224.202.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 1392
length of this packet (off wire): 1446


From: 27.213.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 38.115.115.241:25025
To: 128.67.202.138:59324
Seq num: 3473444
length Transport payload: 18
length of this packet (off wire): 72


From: 162.188.202.138:32835
To: 97.193.115.241:53
Seq num: 3887857750
length Transport payload: 68
length of this packet (off wire): 122


From: 38.104.115.241:25025
To: 128.67.202.138:39995
Seq num: 3473444
length Transport payload: 18
length of this packet (off wire): 72


From: 113.106.115.241:60467
To: 128.67.74.125:32813
Seq num: 5253375
length Transport payload: 1110
length of this packet (off wire): 1164


From: 22.202.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 1304
length of this packet (off wire): 1358


From: 162.187.202.138:32835
To: 97.193.115.241:53
Seq num: 2621112406
length Transport payload: 68
length of this packet (off wire): 122


From: 38.92.115.241:25025
To: 128.67.202.138:37470
Seq num: 3473444
length Transport payload: 18
length of this packet (off wire): 72


From: 230.43.74.125:32835
To: 236.51.115.241:80
Seq num: 2150488511
length Transport payload: 14
length of this packet (off wire): 68


From: 162.20.202.138:32835
To: 97.193.115.241:53
Seq num: 2455634172
length Transport payload: 234
length of this packet (off wire): 288


From: 230.42.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 14
length of this packet (off wire): 68


From: 149.229.115.241:60465
To: 128.67.74.125:40701
Seq num: 5287584
length Transport payload: 22
length of this packet (off wire): 76


From: 229.82.74.125:32835
To: 236.51.115.241:80
Seq num: 2150554495
length Transport payload: 229
length of this packet (off wire): 283


From: 27.211.115.241:60467
To: 128.67.74.125:32814
Seq num: 5253471
length Transport payload: 14
length of this packet (off wire): 68


From: 229.150.74.125:32835
To: 236.51.115.241:80
Seq num: 2150488511
length Transport payload: 160
length of this packet (off wire): 214


From: 117.177.115.241:60467
To: 128.67.74.125:32813
Seq num: 5253375
length Transport payload: 14
length of this packet (off wire): 68


From: 230.33.74.125:32835
To: 236.49.115.241:80
Seq num: 2667405007
length Transport payload: 22
length of this packet (off wire): 76


From: 149.236.115.241:60465
To: 128.67.74.125:40701
Seq num: 5287584
length Transport payload: 14
length of this packet (off wire): 68


From: 149.167.115.241:60465
To: 128.67.74.125:40701
Seq num: 5287584
length Transport payload: 82
length of this packet (off wire): 136


From: 230.40.74.125:32835
To: 236.49.115.241:80
Seq num: 2667405007
length Transport payload: 14
length of this packet (off wire): 68


From: 228.40.74.125:32835
To: 236.49.115.241:80
Seq num: 2667405007
length Transport payload: 525
length of this packet (off wire): 579


From: 149.234.115.241:60465
To: 128.67.74.125:40701
Seq num: 5287584
length Transport payload: 14
length of this packet (off wire): 68


From: 230.38.74.125:32835
To: 236.49.115.241:80
Seq num: 2667405007
length Transport payload: 14
length of this packet (off wire): 68


From: 149.233.115.241:60465
To: 128.67.74.125:40701
Seq num: 5287584
length Transport payload: 14
length of this packet (off wire): 68


From: 38.24.115.241:25025
To: 128.67.202.138:55976
Seq num: 3473448
length Transport payload: 22
length of this packet (off wire): 76


From: 230.37.74.125:32835
To: 236.49.115.241:80
Seq num: 2667405007
length Transport payload: 14
length of this packet (off wire): 68


From: 162.161.202.138:32835
To: 97.193.115.241:53
Seq num: 3668443246
length Transport payload: 92
length of this packet (off wire): 146


From: 38.8.115.241:25025
To: 128.67.202.138:46537
Seq num: 3473448
length Transport payload: 22
length of this packet (off wire): 76


From: 161.250.202.138:32835
To: 97.193.115.241:53
Seq num: 3049849108
length Transport payload: 258
length of this packet (off wire): 312


From: 121.77.115.241:60466
To: 128.67.74.125:41252
Seq num: 5287539
length Transport payload: 22
length of this packet (off wire): 76


From: 63.186.74.125:32835
To: 236.50.115.241:80
Seq num: 2703531801
length Transport payload: 22
length of this packet (off wire): 76


From: 121.84.115.241:60466
To: 128.67.74.125:41252
Seq num: 5287539
length Transport payload: 14
length of this packet (off wire): 68


From: 121.11.115.241:60466
To: 128.67.74.125:41252
Seq num: 5287539
length Transport payload: 86
length of this packet (off wire): 140


From: 63.193.74.125:32835
To: 236.50.115.241:80
Seq num: 2703531801
length Transport payload: 14
length of this packet (off wire): 68


From: 61.100.74.125:32835
To: 236.50.115.241:80
Seq num: 2703531801
length Transport payload: 618
length of this packet (off wire): 672


From: 63.191.74.125:32835
To: 236.50.115.241:80
Seq num: 2703531801
length Transport payload: 14
length of this packet (off wire): 68


From: 121.82.115.241:60466
To: 128.67.74.125:41252
Seq num: 5287539
length Transport payload: 14
length of this packet (off wire): 68


From: 121.81.115.241:60466
To: 128.67.74.125:41252
Seq num: 5287539
length Transport payload: 14
length of this packet (off wire): 68


From: 37.210.115.241:25025
To: 128.67.202.138:50585
Seq num: 3473450
length Transport payload: 24
length of this packet (off wire): 78


From: 162.129.202.138:32835
To: 97.193.115.241:53
Seq num: 3315138700
length Transport payload: 122
length of this packet (off wire): 176


From: 63.190.74.125:32835
To: 236.50.115.241:80
Seq num: 2703531801
length Transport payload: 14
length of this packet (off wire): 68



Done processing packets... wheew!

I dont see the IP address matching.....where am I at fault????

[quzah]

You seem to be mal-aligned:

07:48:38.116354 IP 115.241.128.67.32814
From: 24.63.115.241:60467

My guess is that if you turn that 60467 into another . . that you'll find that it matches the .128.67. It looks fairly consistent as to where the start of your IP falls in comparison to your sample "from" line.


Quzah.

[poornaMoksha]

I am sorry but can you please elaborate where the fault is?? just couldn't get you

[quzah]

I mean, that if you look at your data, you can see that your output is off by what apperas to be 2 bytes. Which means:

Code:

const u_char*
        packet)
{

  struct ether_header *ethheader;
  struct iphdr *ipheader;
  struct tcphdr *tcpheader;
  struct in_addr source, dest;

  //Points to ethernet header ** Will this header be constant for any type of connection??
  ethheader = (struct ether_header *)packet;
  //Points to IP header ** But how do we know IP is being used??
  ipheader = (struct iphdr *)(packet + sizeof(struct ether_header));
  //Points to TCP header ** But how do we know that TCP is being used?? could be UDP too...
  tcpheader = (struct tcphdr *)(packet + sizeof(struct ether_header) + sizeof(struct iphdr));

You probably have a size problem in there some place.


Quzah.

[Maz]

Code:

 //Points to ethernet header ** Will this header be constant for any type of connection??
  ethheader = (struct ether_header *)packet;
  //Points to IP header ** But how do we know IP is being used??
  ipheader = (struct iphdr *)(packet + sizeof(struct ether_header));
  //Points to TCP header ** But how do we know that TCP is being used?? could be UDP too...
  tcpheader = (struct tcphdr *)(packet + sizeof(struct ether_header) + sizeof(struct iphdr));

Have you already found answers to the questions you asked in these comments?

Ethernet header needs NOT to be the same "for all connections". For example VLAN tagging can add a byte or two in ethernet header. This could explain why you're off.

You should also probably check out the fields like ethertype from ethernet header, and protocol from IPv4 header. What happens if there's arp packet going there? What if IPv6 packets go there? There are good descriptions of these headers in Wikipedia, you may want to check from there.

Also, if you need to stare at these packets a lot and do it on PC, then you may want to use wireshark - it visualizes the packets way better.

[Maz]

Also, if I remember correctly, the pcap does give you the packet as it was sniffed from device. Eg:

source.s_addr = ipheader->saddr;
dest.s_addr = ipheader->daddr;

I assume you'r 32 bit IP addresses will be in network byte order here. If you're running little endian machine, then 115.241.128.67 should appear as
67.128.241.115. Maybe you should also apply htonl() to ip-addresses.

[poornaMoksha]

Ohh...will try these tips and let you ppl know...
Thanks!!!