Wireshark-dev: [Wireshark-dev] jumping tcp packets
From: "Maria de Fatima Requena" <[email protected]>
Date: Thu, 3 Apr 2008 10:35:22 +0200

I am implementing a skinny sniffer using winpcap and I am experimenting problems while parsing packets. Some of them are just missed to my application. I am using wireshark to see what is really happening, and I cant understand it 

This is part of my code (callback function called by winpcap):

void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
	ip_header *ih=NULL;
	udp_header *uh=NULL;
	tcp_header *th=NULL;
	u_int ip_len;
	u_short tcp_len;
	char* sipP,*sipBody;
	char* skinnyP;
	std::string payload;
    int longSIP;
	map<string,callId_st*>::iterator it;

	Logger* mainLog=0;

	/* retireve the position of the ip header */
	ih = (ip_header *) (pkt_data +
		14); //length of ethernet header

	/* retrieve the position of the udp header */
	ip_len = (ih->ver_ihl & 0xf) * 4;


	if (ih->proto==0x06)//tcp == 0x06
		th = (tcp_header *) ((u_char*)ih + ip_len);
		u_short sport=ntohs(th->sdPorts.sport);
		u_short dport=ntohs(th->sdPorts.dport);

		if (sport==2000||dport==2000)//0x7d0=2000

This function is run inside a thread as:

pcap_loop((pcap_t *)handle,0, packet_handler, NULL); 

With this instruction: if (ih->proto==0x06)//tcp == 0x06 I would be able to see every TCP incoming packet anyway, many packets wireshark is able to capture, are left for me. Can anyone have an idea of what is happening?

Thanks in advance

María de Fátima Requena Cabot (2488)
+34 91 787 23 00 alhambra-eidos.es