I'm using Ubuntu 16.04.2 LTS on a VM using Windows 10.
I'm trying to capture ports within the range of 1-100. But it's not doing that and also it seems to be giving incorrect port numbers. For example, when I try using the telnet command to connect to another VM I'm excepting to see the destination port to be 23; however, I get a completely different port number. I also check in wireshark and the destination and source port number do not match.
Here's screenshot of what I get when I try to telnet to 10.0.2.5
:
Here's my code:
#include <pcap.h>
#include <stdio.h>
#include <arpa/inet.h>
//Ethernet addresses are 6 bytes
#define ETHER_ADDR_LEN 6
//ethernet header
struct sniff_ethernet {
u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */
u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */
u_short ether_type; /* IP? ARP? RARP? etc */
};
//ip header
struct ipheader {
unsigned char iph_ihl:4, //IP header length
iph_ver:4; //IP version
unsigned char iph_tos; //Type of service
unsigned short int iph_len; //IP Packet length (data + header)
unsigned short int iph_ident; //Identification
unsigned short int iph_flag: 3, //Fragmenation flags
iph_offset:13; //Flags offset
unsigned char iph_ttl; //Time to live
unsigned char iph_protocol; //Protocol type
unsigned short int iph_chksum; //IP datagram checksum
struct in_addr iph_sourceip; //Source IP address
struct in_addr iph_destip; //Destination IP address
};
//tcp header
typedef u_int tcp_seq;
struct sniff_tcp {
u_short th_sport;/* source port */
u_short th_dport;/* destination port */
tcp_seq th_seq;/* sequence number */
tcp_seq th_ack;/* acknowledgement number */
u_char th_offx2;/* data offset, rsvd */
#define TH_OFF(th)(((th)->th_offx2 & 0xf0) >> 4)
u_char th_flags;
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20
#define TH_ECE 0x40
#define TH_CWR 0x80
#define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
u_short th_win;/* window */
u_short th_sum;/* checksum */
u_short th_urp;/* urgent pointer */
};
void got_packet(u_char *args, const struct pcap_pkthdr * header,
const u_char * packet)
{
struct sniff_ethernet *eth = (struct sniff_ethernet *)packet;
if(ntohs(eth->ether_type)== 0x0800){ // 0x0800 is IP type
struct ipheader *ip = (struct ipheader *) (packet + sizeof(struct sniff_ethernet));
printf(" From: %s\n", inet_ntoa(ip->iph_sourceip));
printf(" To: %s\n", inet_ntoa(ip->iph_destip));
int ip_header_len = ip->iph_ihl * 4;
struct sniff_tcp *tcp = (struct sniff_tcp*) (packet + sizeof(struct sniff_ethernet) + ip_header_len);
printf("tcp source port: %hu\n",tcp->th_sport);
printf("tcp destination port: %hu\n", tcp->th_dport);
}
}
int main(int argc, char* argv[])
{
char* dev = argv[1];
printf("Device: %s\n", dev);
//session handle
pcap_t *handle;
//error string
char errbuf[PCAP_ERRBUF_SIZE];
//the compiled filter expression
struct bpf_program fp;
char filter_exp[] = "tcp and portrange 10-100";
//the ip of our sniffing device
bpf_u_int32 net;
// open pcap session
handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);
//Compile filter_exp into BPF pseudo-code
pcap_compile(handle, &fp, filter_exp, 0, net);
pcap_setfilter(handle,&fp);
//Capture packets
pcap_loop(handle,-1,got_packet,NULL);
pcap_close(handle);
return (0);
}
Need to convert from network to host byte order:
printf("tcp source port: %hu\n", ntohs(tcp->th_sport));
printf("tcp destination port: %hu\n", ntohs(tcp->th_dport));