View unanswered posts | View active topics It is currently Fri Aug 23, 2019 4:26 am



Post new topic Reply to topic  [ 4 posts ] 
 How can get real port No. from ftval port_dst? 
Author Message

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post How can get real port No. from ftval port_dst?
Hi,
One usage of ftval is keeping port information:
Code:
ftval port_src, port_dst;

Which one of ftval fields keep real port No.? When i browse a site, Wireshark shows destination port is 80. But values of port_dst(ftval) is as follow:
Code:
dbl : -0.000000
flt : 0.000000
int16 : -27424
int32 : 154703072
int8 : -32
str : www.site.com
uint16 : 38112
uint32 : 154703072
uint8 : 224
=========================
dbl : 0.000000
flt : 0.000000
int16 : -27680
int32 : 154702816
int8 : -32
str : www.site.com
uint16 : 37856
uint32 : 154702816
uint8 : 224
=========================
...

Because exists many flows, i put two of them. None of them have 80 as destination port. I think should do some modifications.
How can get real port No.?


Mon Sep 27, 2010 11:04 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: How can get real port No. from ftval port_dst?
Hi,
ftval (as type of object) is a union, then its content depend from the context.
You should be more specific about the code, what dissector you talking about? and which part?


Mon Sep 27, 2010 12:45 pm
Profile WWW

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post Re: How can get real port No. from ftval port_dst?
In dispatcher, in cli.c, DispHttp function, i wrote this code:
Code:
ftval port_src, port_dst;
if (ProtGetAttr(ppei->stack, port_src_id, &port_src) == -1) {
   fprintf(stderr, "\n%s\n", "port_src is not assigned.");
   return -1;
}
if (ProtGetAttr(ppei->stack, port_dst_id, &port_dst) == -1) {
   fprintf(stderr, "\n%s\n", "port_dst is not assigned.");
   return -1;
}


Because in cli.c, haven't be define port_dst_id and port_src_id, i changed DispInit function as follow(previously i defined them as global static variables):
Code:
tcp_id = ProtId("tcp");
if(tcp_id != -1) {
       port_dst_id = ProtAttrId(tcp_id, "tcp.dstport");
       port_src_id = ProtAttrId(tcp_id, "tcp.srcport");
}


Wed Sep 29, 2010 6:57 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: How can get real port No. from ftval port_dst?
Hi,
this is not a correct way to use the ProtGetAttr and the information of ppei->stack.
Well, now the explanation:
ppei->stack is a stack then ppei->stack can be composed by many frame (pcap, ethernet, ip, ...). To find a frame for example the TCP frame the function is:
Code:
const pstack_f *frame_tcp;
frame_tcp = ProtStackSearchProt(ppei->stack, tcp_id);

where tcp_id :
Code:
int tcp_id;
tcp_id = ProtId("tcp");

now in the TCP frame you can find: srcport, dstport. More info about TCP frame can be obtained from:
Code:
./xplico -i tcp

From the tcp frame you can extract the ports:
Code:
ftval port_src, port_dst;
if (ProtGetAttr(frame_tcp, port_src_id, &port_src) == -1) {
   fprintf(stderr, "\n%s\n", "port_src is not assigned.");
   return -1;
}
if (ProtGetAttr(frame_tcp, port_dst_id, &port_dst) == -1) {
   fprintf(stderr, "\n%s\n", "port_dst is not assigned.");
   return -1;
}

where port_dst_id and port_src_id are:
Code:
int port_dst_id, port_src_id;
port_dst_id = ProtAttrId(tcp_id, "tcp.dstport");
port_src_id = ProtAttrId(tcp_id, "tcp.srcport");


Ciao.
Gianluca


Thu Sep 30, 2010 5:43 pm
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.