& (previous_tcp.th_win = tcph->th_win) // Same window & (previous_tcp.th_ack=tcph->th_ack) // Same acknowledge number & (previous_tcp.th_seq = tcph->th_seq) // Same sequence number & (previous_tcp.dest = tcph->dest) // Same destination port If((previous_tcp.source = tcph->source) // Same source port & (temphdrlen = iphdrlen)) // Same header length & (previous_packets.protocol = iph->protocol) //Same protocol & (previous_packets.daddr = iph->daddr) // Same destination Ip address * First check if a same TCP packet has been received */įor(int i=0 isaddr) // Same source IP address Int header_size = sizeof(struct ethhdr) + iphdrlen + tcph->doff*4 Struct tcphdr *tcph=(struct tcphdr*)(Buffer Struct iphdr *iph = (struct iphdr *)(Buffer + sizeof(struct ethhdr)) Void find_retransmissions(const u_char * Buffer, int Size) Struct iphdr *iph = (struct iphdr*)(buffer +sizeof(struct ethhdr)) Struct ethhdr *eth = (struct ethhdr *)buffer Pcap_loop(handle, -1, process_packet, NULL) Handle = pcap_open_offline("smallFlows.pcap", errbuff) Void find_retransmissions(const u_char *, int ) Void process_packet(u_char *,const struct pcap_pkthdr *, const u_char *) The function find_retransmissions is where the packet is analyzed. This is an MRE that reads a pcap file and analyzes the TCP packets sent over IPv4. What I actually want to achieve is, to do on a basic level, what the filter does in wireshark. After searching extensively the web, I've concluded that in order to so, I need to track the traffic behaviour and this means also analyzing previously received packets. I want to be able to deduce whether a TCP packet I parsed is a TCP retransmission or not. I can parse the packets one by one and analyze them up to a point. I've written a simple source file that can read pcap files using the libpcap library in C.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |