[SOLVED] printk incorrect output from ntohs(tcp_hdr(skb)->source)

yaplej · 09-17-2009, 12:29 AM

I am messing around with linux kernel modules while I learn C. I wrote a LKM that has sucessfully been sniffing IP Packets Source/Destination, and writing that to /var/log/messages with printk, but when I try to access the TCP header source/dest, and write it to the log I am not getting the correct values.

The dest should be 80(http), but the log is saying 40. Is there some other conversion of "tcp_hdr(skb)->dest" I need to do for it to print the correct value? I know the value should be 80 so I expect that the source value I am getting is also incorrect, but have not used Wireshark to deteremine that its actual value is.

Code:

printk(KERN_ALERT "Source: %d.%d.%d.%d:%d. Destination: %d.%d.%d.%d:%d\n", NIPQUAD(ip_hdr(skb)->saddr), ntohs(tcp_hdr(skb)->source), NIPQUAD(ip_hdr(skb)->daddr), ntohs(tcp_hdr(skb)->dest));

Thanks.

yaplej · 09-17-2009, 03:31 PM

Need to pull the tcp header to read the tcp ports.

Code:

struct tcphdr *tcph;
struct iphdr *iph;

iph = ip_hdr(skb);
tcph = (struct tcphdr *)(skb->data + (iph->ihl << 2 ));

printk(KERN_ALERT "Source: %d.%d.%d.%d:%d. Destination:%d.%d.%d.%d:%d\n", NIPQUAD(iph->saddr), ntohs(tcph->source),
NIPQUAD(iph->daddr), ntohs(tcph->dest));

kinder · 05-26-2010, 02:38 AM

Hello !!

I tried to run this module but i got the following error

‘skb’ undeclared (first use in this function)"

Then i added the following ...

const struct sk_buff *skb;

I got the warnings ..

warning: unused variable ‘iph’
warning: ‘skb’ is used uninitialized in this function

Please help me out !!
I want print the IP header information.....

yaplej · 05-28-2010, 09:14 PM

You have to use this code from a netfilter hook. I made a post about using netfilter hooks in my blog on this site.

dhavey · 06-29-2012, 06:55 PM

Hehe ;^) Nice code, but...
Looks like it does the same thing to me. Doesn't tcp_hdr(skb) also pull data from the skb?

Anyways that's the results I'm getting.

Just FYI (I know the thread is old, but, still ;^)
I'm working in the sch_red.ko module. On the host PC tcp_hdr(skb) works as expected. On the router it always seems to generate the same (wrong) source and dest port. Your neat little piece of code does the same thing.

I suspect that my router is doing something funny ;^)

...Daniel

yaplej · 06-29-2012, 07:12 PM

Yes,

tcp_hdr(skb) should pull the correct data but the linux kernel I was using at the time it would not work. All my development was with CentOS 5 being based on RHEL its a little behind when it comes to the latest linux kernel.

I have a full example of using netfilter hooks but it was for an older kernel so might not work now.
http://opennop.svn.sourceforge.net/v...lpha%200.2.56/

Here is a much simpler kernel driver that I think works with newer kernels. At least the latest kernel used by openSuse & RHEL.
http://opennop.svn.sourceforge.net/v.../module/trunk/

You can see I am still using my original method in the userspace daemon to map the pointer to the correct tcp_header. I could probably try using the simpler tcp_hdr(skb) and see if it works.
http://opennop.svn.sourceforge.net/v...73&view=markup

Justin.

dhavey · 07-13-2012, 01:50 PM

Hi Justin,

Netfilter hook blog? Could you shoot me a link to that? For a networking scientist I know embarrassingly little about netfilter hooks and the proper way of doing things in the kernel. I just sort of found the kernel code and started messing around with it's brains. It might be worthwhile for me to learn how everybody else does things ;^)

...Daniel