解析TCP数据包数据

Question

I am trying to parse a tcp packet and then assign to a pointer to the start of the payload.

I am using C and this is my code so far:

void dump(const unsigned char *data, int length) { //*data contains the raw packet data
    unsigned int i;
    static unsigned long pcount = 0;

    // Decode Packet Header
    struct ether_header *eth_header = (struct ether_header *) data;

    printf("\n\n === PACKET %ld HEADER ===\n", pcount);

    printf("\nSource MAC: ");
    for (i = 0; i < 6; ++i) {
        printf("%02x", eth_header->ether_shost[i]); //? Why don't i use nthos here?
        if (i < 5) printf(":");
    }

    unsigned short ethernet_type = ntohs(eth_header->ether_type);
    printf("\nType: %hu\n", ethernet_type);

    if (ethernet_type == ETHERTYPE_IP) { //IP Header
        printf("\n  == IP HEADER ==\n");
        struct ip *ip_hdr = (struct ip*) data + sizeof(struct ether_header);
        unsigned int size_ip = ip_hdr->ip_hl * 4;
        printf("\nIP Version: %u", ip_hdr->ip_v); //? Nthos or no nthos
        printf("\nHeader Length: %u", ip_hdr->ip_hl); //? Nthos or no nthos
        printf("\nTotal Length: %hu", ntohs(ip_hdr->ip_len)); //? Nthos or no nthos

        // TCP Header
        printf("\n== TCP HEADER ==\n");
        struct tcphdr *tcp_hdr = (struct tcphdr*) data + sizeof(struct ether_header) + size_ip;
        printf("\n Source Port: %" PRIu16, nthos(tcp_hdr->th_sport));
        printf("\n Destination Port: %" PRIu16, nthos(tcp_hdr->th_dport));
        printf("\n fin: %" PRIu16, tcp_hdr->fin);
        printf("\n urg: %" PRIu16, tcp_hdr->urg);
        printf("\n ack_seq: %" PRIu32, ntohl(tcp_hdr->ack_seq));

        //Transport payload! i.e. rest of the data
        const unsigned char *payload = data + ETH_HLEN + size_ip + sizeof(struct tcphdr) + tcp_hdr->doff;

    }

I'm sure there is mistakes in this code because the port numbers are all weird. Not a single one assigns to 80. The Ip version outputted can also be really weird (like version 11) as well. What am I doing wrong? Thanks!

Also I am unsure when to use nthos and when not to. I know nthos is for 16 bit unsigned integer and I know nthol is for 32 bit unsigned integers, but I'm aware your not meant to use them for everything in those packets (like: tcp_hdr->fin). Why certain things and not them?

MANY THANKS!

EDIT:

Thanks Art for fixing most f the problems. I edited my tcp_hdr and ip_hdr so the brackets are now correct!

I still have 2 problems:

• The first 10 bytes of the payload has weird symbols (so I think I have not assigned the payload correctly).
• I'm still unsure when to use nthos/nthol. I know u_int16_t is ntohs and u_int32_t is ntohl. But what about things that are signed int or unisgned short int. For instance I didn't use ntohs or nthol for the ip_v for it to work. Why not? Is "ip_hdr->ip_hl" nthol? etc...

EDIT2

I have fixed why my payload was not outputting correctly (it's because I calculated the TCP_header size wrong).

Although I am still confused about when to use nthos, I will put this as a separate question, as I think I asked too many questions on this 1 post!

When to use ntohs and ntohl in C?

Answer 1

Most likely your problem is here:

struct ip *ip_hdr = (struct ip*) data + sizeof(struct ether_header);
struct tcphdr *tcp_hdr = (struct tcphdr*) data + sizeof(struct ether_header) + size_ip;

Doing (struct ip*) data + sizeof(struct ether_header) first casts data to struct ip * , then adds sizeof(struct ether_header) to it, which we know from pointer arithmetics will not do what you expect it to do.

If the problem is still unclear, here's a simple program that should point you in the right direction:

#include <stdio.h>

struct foo {
    int a, b;
};

int
main(int argc, char **argv)
{
    char *x = NULL;

    printf("%p\n", x);
    printf("%p\n", (struct foo *)x + 4);
    printf("%p\n", (struct foo *)(x + 4));

    return 0;
}