Search code examples
ctcppcappacket-sniffers

PCAP - I'm not capturing the right TCP port number


I'm using Ubuntu 16.04.2 LTS on a VM using Windows 10.

I'm trying to capture ports within the range of 1-100. But it's not doing that and also it seems to be giving incorrect port numbers. For example, when I try using the telnet command to connect to another VM I'm excepting to see the destination port to be 23; however, I get a completely different port number. I also check in wireshark and the destination and source port number do not match.

Here's screenshot of what I get when I try to telnet to 10.0.2.5:

screenshot

Here's my code:

#include <pcap.h>
#include <stdio.h>
#include <arpa/inet.h>

//Ethernet addresses are 6 bytes
#define ETHER_ADDR_LEN 6

//ethernet header
struct sniff_ethernet {
  u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */
  u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */
  u_short ether_type;                 /* IP? ARP? RARP? etc */
};

//ip header
struct ipheader {
  unsigned char   iph_ihl:4,  //IP header length
                  iph_ver:4;  //IP version
  unsigned char   iph_tos;   //Type of service
  unsigned short int iph_len;    //IP Packet length (data + header)
  unsigned short int iph_ident;  //Identification
  unsigned short int iph_flag: 3,   //Fragmenation flags
                     iph_offset:13; //Flags offset
  unsigned char      iph_ttl; //Time to live
  unsigned char      iph_protocol;  //Protocol type
  unsigned short int iph_chksum; //IP datagram checksum
  struct in_addr     iph_sourceip;  //Source IP address
  struct in_addr     iph_destip;    //Destination IP address
};

//tcp header
typedef u_int tcp_seq;

struct sniff_tcp {
  u_short th_sport;/* source port */
  u_short th_dport;/* destination port */
  tcp_seq th_seq;/* sequence number */
  tcp_seq th_ack;/* acknowledgement number */
  u_char th_offx2;/* data offset, rsvd */
  #define TH_OFF(th)(((th)->th_offx2 & 0xf0) >> 4)
  u_char th_flags;
  #define TH_FIN 0x01
  #define TH_SYN 0x02
  #define TH_RST 0x04
  #define TH_PUSH 0x08
  #define TH_ACK 0x10
  #define TH_URG 0x20
  #define TH_ECE 0x40
  #define TH_CWR 0x80
  #define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
  u_short th_win;/* window */
  u_short th_sum;/* checksum */
  u_short th_urp;/* urgent pointer */
};


void got_packet(u_char *args, const struct pcap_pkthdr * header,
        const u_char * packet)
{
  struct sniff_ethernet *eth = (struct sniff_ethernet *)packet;

  if(ntohs(eth->ether_type)== 0x0800){ // 0x0800 is IP type
    struct ipheader *ip = (struct ipheader *) (packet + sizeof(struct sniff_ethernet));

    printf("    From: %s\n", inet_ntoa(ip->iph_sourceip));
    printf("      To: %s\n", inet_ntoa(ip->iph_destip));

    int ip_header_len = ip->iph_ihl * 4;
    
    struct sniff_tcp  *tcp = (struct sniff_tcp*) (packet + sizeof(struct sniff_ethernet) + ip_header_len);

    printf("tcp source port: %hu\n",tcp->th_sport);
    printf("tcp destination port: %hu\n", tcp->th_dport);
  }
}

int main(int argc, char* argv[])
{
  char* dev = argv[1];

  printf("Device: %s\n", dev);

  //session handle
  pcap_t *handle;
  //error string
  char errbuf[PCAP_ERRBUF_SIZE];
  //the compiled filter expression
  struct bpf_program fp;
  char filter_exp[] = "tcp and portrange 10-100";
  //the ip of our sniffing device
  bpf_u_int32 net;

  // open pcap session
  handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);

  //Compile filter_exp into BPF pseudo-code
  pcap_compile(handle, &fp, filter_exp, 0, net);
  pcap_setfilter(handle,&fp);

  //Capture packets
  pcap_loop(handle,-1,got_packet,NULL);

  pcap_close(handle);
  
  return (0);
    
}

Solution

  • Need to convert from network to host byte order:

    printf("tcp source port: %hu\n", ntohs(tcp->th_sport));
    printf("tcp destination port: %hu\n", ntohs(tcp->th_dport));