Wireshark · Ethereal-users: Re: [Ethereal-users] ACK / SEQ/ flag /win wrong

Ethereal-users: Re: [Ethereal-users] ACK / SEQ/ flag /win wrong

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Joe Elliott <joe@xxxxxxxxx>

Date: Fri, 14 Oct 2005 20:29:29 -0700 (PDT)

Hello Servando,
	Its a precision problem, When you print data values of less than 32bits you need to use the correct printf value.
%d on your system is a full integer value. See the printf/sprintf man page on any unix system:


   The length modifier
       Here, âinteger conversionâ stands for d, i, o, u, x, or X conversion.

       hh     A following integer conversion corresponds to a signed char or unsigned char argument, or a following n conversion corre-
              sponds to a pointer to a signed char argument.

       h      A following integer conversion corresponds to a short int or unsigned short int argument, or  a  following  n  conversion
              corresponds to a pointer to a short int argument.

       l      (ell) A following integer conversion corresponds to a long int or unsigned long int argument, or a following n conversion
              corresponds to a pointer to a long int argument, or a following c conversion corresponds to a wint_t argument, or a  fol-
              lowing s conversion corresponds to a pointer to wchar_t argument.

       ll     (ell-ell).   A  following integer conversion corresponds to a long long int or unsigned long long int argument, or a fol-
              lowing n conversion corresponds to a pointer to a long long int argument.

       L      A following a, A, e, E, f, F, g, or G conversion corresponds to a long double argument.  (C99 allows %LF, but SUSv2  does
              not.)

       q      (âquadâ. BSD 4.4 and Linux libc5 only. Donât use.)  This is a synonym for ll.

       j      A following integer conversion corresponds to an intmax_t or uintmax_t argument.

       z      A  following  integer conversion corresponds to a size_t or ssize_t argument. (Linux libc5 has Z with this meaning. Donât
              use it.)

       t      A following integer conversion corresponds to a ptrdiff_t argument.

You will then print the correct value.

Joe.

                                          __o       _~o       __o
                                         `\<,      `\<,      `\<,
 ______________________________________(*)/_(*)__(*)/_(*)__(*)/_(*)________
 Im a 21st Century Digital Boy ... I aint got a life, but I got lotsa toys.
 *************** Joe Elliott  joe@xxxxxxxxx  AOL:xqos  ********************
 -   NetContExt  - sniffer trace forensics - tcp follow stream analysis   - 
          Extract data files and Images from packet payloads
                  Inetd.Com    http://www.inetd.com
 --------------------------------------------------------------------------


On Fri, 14 Oct 2005, Servando Garcia wrote:

> Date: Fri, 14 Oct 2005 21:38:46 -0500
> From: Servando Garcia <servando@xxxxxxx>
> Reply-To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
> To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
> Subject: [Ethereal-users] ACK / SEQ/ flag /win wrong
> 
> Hello List
> 	First of all that you all who have helped me with this project. Now to 
> the meat of my email
> I am working on a Mac 10.3
> I am using pcap to read/translate a capture session to human readable 
> form.
> When I use ethereal to view the capture session, I get
> Acknowledgment : 450
> Sequence number :1
> Flag of 0X0010(ack)
> win:  6432
> 
> when I run my program I get
> Seq : 46517
> ACK number : 15682
> Flag 6144
> win: 65535
> 
> this is nothing like ethereal.
> 
> Here is now I call them:
>          printf("Sequence Number:%d\n",ntohs(tcp->th_seq));
>          printf("TCP Acknowledgment Number: %d\n",ntohs(tcp->th_ack));
>          printf("TCP Flags: %d\n",ntohs(tcp->th_flags));
>          printf("TCP Window Size: %d\n",ntohs(tcp->th_win));
> 
> here is how I define:
> 
> 
> struct sniff_tcp {
>          u_char  th_flags;
>          #define TH_FIN  0x01
>          #define TH_SYN  0x02
>          #define TH_RST  0x04
>          #define TH_PUSH 0x08
>          #define TH_ACK  0x10
>          #define TH_URG  0x20
>          #define TH_ECE  0x40
>          #define TH_CWR  0x80
>          #define TH_FLAGS        
> (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
>          u_short th_win;                 /* window */
> 
> I am not sure why I have this difference.
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>

References:
- [Ethereal-users] ACK / SEQ/ flag /win wrong
  - From: Servando Garcia

Prev by Date: [Ethereal-users] ACK / SEQ/ flag /win wrong
Next by Date: Re: [Ethereal-users] ACK / SEQ/ flag /win wrong
Previous by thread: [Ethereal-users] ACK / SEQ/ flag /win wrong
Next by thread: Re: [Ethereal-users] ACK / SEQ/ flag /win wrong
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$