Thread: tcphdr structure byteorder

Ok, I've been learning some raw sockets, which involved learning about the tcphdr, etc structures; Now I have found out that when I try to extract the port numbers (the source and dest fields) from the TCP header structure, I need to use ntohs() to get correct numbers. If it makes any difference, I'm using the non-BSD version (#ifndef __FAVOR_BSD)

However, when I compare my sniffer with tcpdump, tcpdump gets different sequence and acknowledgement numbers than my sniffer. Now to the question:
Do I need to use ntohs() on the other fields? (I am assuming no, because all the other fields are declared outside of the Pre-Processor if-else sequence relating to the endian)

Or maybe is it normal that I get different seq and ack numbers than tcpdump; because I have tried with both ntohs() and without, and have gotten different numbers anyway. (Yes, I used the -S option on tcpdump).

And also, If I am totally out in the blue, could someone give me a shove in the right direction?

Thanks!!!

However, when I compare my sniffer with tcpdump, tcpdump gets different sequence and acknowledgement numbers than my sniffer. Now to the question:

Pass -S to tcpdump to get absolute instead of relative sequence numbers.

Originally Posted by peradox

(Yes, I used the -S option on tcpdump).

So yah...

oops, somehow I missed that. Are your sequence numbers correct in their incrementation, or are they off? Do they match the ACK numbers?

Yes, they are correct, as they match the ACK numbers, etc...
They are just not the same as tcpdump...
I'm going to try how it is with ethereal...

ethereal uses the same packet capture library as tcpdump, so the results should be the same.