'Follow TCP Stream' gets very confused if you have two streams between the
same ip addresses with reversed source and destination ports. Ie, if host a
connects to host b on port 80 at the same time as host b connects to host a on
port and both choose the same source port. This may seem like a strange event
but it can occur quite easily when NAT is involved and a host is contacting
itself through the NAT router.
The attached patch straightens out this problem, it seems to work for me.
bash-2.05b# diff -u follow.c.~1~ follow.c
--- follow.c.~1~ 2002-12-03 20:36:10.000000000 -0500
+++ follow.c 2003-07-03 15:01:28.000000000 -0400
@@ -140,12 +140,16 @@
/* Now check if the packet is for this connection. */
memcpy(srcx, net_src->data, len);
memcpy(dstx, net_dst->data, len);
- if ((memcmp(srcx, ip_address[0], len) != 0 &&
- memcmp(srcx, ip_address[1], len) != 0) ||
- (memcmp(dstx, ip_address[0], len) != 0 &&
- memcmp(dstx, ip_address[1], len) != 0) ||
- (srcport != tcp_port[0] && srcport != tcp_port[1]) ||
- (dstport != tcp_port[0] && dstport != tcp_port[1]))
+ if (
+ ! (
+ !memcmp(srcx, ip_address[0], len) && !memcmp(dstx, ip_address[1], len) &&
+ srcport == tcp_port[0] && dstport == tcp_port[1]
+ ) &&
+ ! (
+ !memcmp(srcx, ip_address[1], len) && !memcmp(dstx, ip_address[0], len) &&
+ srcport == tcp_port[1] && dstport == tcp_port[0]
+ )
+ )
return;
/* Initialize our stream chunk. This data gets written to disk. */
--
greg
