Access TCP Flags From Struct

Question

In the http://www.tcpdump.org/sniffex.c script there's the TCP struct:

struct sniff_tcp {
    u_short th_sport;               /* source port */
    u_short th_dport;               /* destination port */
    tcp_seq th_seq;                 /* sequence number */
    tcp_seq th_ack;                 /* acknowledgement number */
    u_char  th_offx2;               /* data offset, rsvd */
    #define TH_OFF(th)      (((th)->th_offx2 & 0xf0) >> 4)
    u_char  th_flags;
    #define TH_FIN  0x01
    #define TH_SYN  0x02
    #define TH_RST  0x04
    #define TH_PUSH 0x08
    #define TH_ACK  0x10
    #define TH_URG  0x20
    #define TH_ECE  0x40
    #define TH_CWR  0x80
    #define TH_FLAGS        (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
    u_short th_win;                 /* window */
    u_short th_sum;                 /* checksum */
    u_short th_urp;                 /* urgent pointer */
};

How do I determine if a particular flag is set? For each of the flags I want to know if it's 1 or 0.

C is not a scripting language. – too honest for this site Jul 22 '17 at 15:11 — too honest for this site, Jul 22 '17 at 15:11

score 1 · Accepted Answer · answered Jul 22 '17 at 14:43

1

You need to test the flags in a way similar to this:

struct sniff_tcp *ptr = …;
if (ptr->th_flags & TH_FIN)
  puts ("FIN set");
if (ptr->th_flags & TH_SYN)
  puts ("SYN set");

And so on. Is this what you are asking?

(You may have to apply #pragma pack or a pack attribute the struct definition, to deal with unaligned accesses.)

answered Jul 22 '17 at 14:43

Florian Weimer

32,022
3
48
92

I would use the definition from netinet/tcp.h to prevent unnecessary bugs. – Cheatah Jul 22 '17 at 15:13

Access TCP Flags From Struct

1 Answers1