Wireshark
the world's foremost network protocol analyzer
Wireshark-dev: [Wireshark-dev] jumping tcp packets
From: "Maria de Fatima Requena" <MariaF.Requena@xxxxxx>
Date: Thu, 3 Apr 2008 10:35:22 +0200
Hi
I am implementing a skinny sniffer using winpcap and I am experimenting problems while parsing packets. Some of them are just missed to my application. I am using wireshark to see what is really happening, and I cant understand it
This is part of my code (callback function called by winpcap):
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
ip_header *ih=NULL;
udp_header *uh=NULL;
tcp_header *th=NULL;
u_int ip_len;
u_short tcp_len;
char* sipP,*sipBody;
char* skinnyP;
std::string payload;
int longSIP;
map<string,callId_st*>::iterator it;
Logger* mainLog=0;
/* retireve the position of the ip header */
ih = (ip_header *) (pkt_data +
14); //length of ethernet header
/* retrieve the position of the udp header */
ip_len = (ih->ver_ihl & 0xf) * 4;
mainLog=Logger::GetLogger("main");
if (ih->proto==0x06)//tcp == 0x06
{
th = (tcp_header *) ((u_char*)ih + ip_len);
u_short sport=ntohs(th->sdPorts.sport);
u_short dport=ntohs(th->sdPorts.dport);
if (sport==2000||dport==2000)//0x7d0=2000
{
...
This function is run inside a thread as:
pcap_loop((pcap_t *)handle,0, packet_handler, NULL);
With this instruction: if (ih->proto==0x06)//tcp == 0x06 I would be able to see every TCP incoming packet anyway, many packets wireshark is able to capture, are left for me. Can anyone have an idea of what is happening?
Thanks in advance
María de Fátima Requena Cabot (2488)
+34 91 787 23 00 alhambra-eidos.es
- Follow-Ups:
- Re: [Wireshark-dev] jumping tcp packets
- From: ronnie sahlberg
- Re: [Wireshark-dev] jumping tcp packets
- Prev by Date: [Wireshark-dev] Using wireshark apis
- Next by Date: Re: [Wireshark-dev] jumping tcp packets
- Previous by thread: Re: [Wireshark-dev] Using wireshark apis
- Next by thread: Re: [Wireshark-dev] jumping tcp packets
- Index(es):