And what I said only applies for sure to IPV4. I don't know if the TCP structure is the same for IPV6.
________________________________ From: Ted Dunning Sent: Monday, January 1, 2018 10:42:15 PM To: Charles Givre; [email protected] Subject: Re: PCAP Issues PacketConstants.ETHER_HEADER_LENGTH + getIPHeaderLength() +13 to get the word that has the flags Looks to me like getByte(raw, ipOffset + getIPHeaderLength() + 13) is what you need. And this gets you the byte, not the word. ________________________________ From: Charles Givre <[email protected]> Sent: Monday, January 1, 2018 12:31:17 PM To: [email protected] Cc: Ted Dunning Subject: PCAP Issues Hello all, I was playing with the PCAP functionality in Drill and I wanted to add the TCP flags to the data that Drill is returning. I was also interested in adding the TCP Sequence and Ack numbers as well. I noticed that the code as written currently has a function in Packet.java which returns the TCP Sequence number, however this was never added to the schema, so I added that and rebuilt Drill, however, it doesn’t seem to be returning the correct result. The file I was querying is attached to this email, and should in all cases return a sequence number of zero. Questions: 1. Could someone please take a look at the code for the tcp_sequence and see if I did something wrong, or if the offset is not being calculated correctly 2. I’m trying to figure out the offsets for the various TCP flags. I would think that the offset should be PacketConstants.ETHER_HEADER_LENGTH + getIPHeaderLength() +13 to get the word that has the flags and then from there, access the individual bits. However, this doesn’t seem to work. What am I missing? Thanks and Happy New Year! - C
