jasonbstubbs Posted November 14, 2003 Posted November 14, 2003 (edited) Raw sockets corrupting IP headers (SOLVED) I'm listening for ICMP packets using the following method to capture packets. I'm also running a packet sniffer to see what goes in and out of the box. Socket socket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Icmp); socket.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.ReceiveTimeout, 100); socket.Bind((EndPoint)new IPEndPoint(System.Net.IPAddress.Any, 0)); byte[] buffer = new byte[2000]; IPEndPoint ipendpoint = new IPEndPoint(System.Net.IPAddress.Any, 0); EndPoint endpoint = (EndPoint)ipendpoint; socket.ReceiveFrom(buffer, buffer.Length, SocketFlags.Peek, ref endpoint); However, what I'm finding is that some of the values in the IP header returned differ from what the sniffer is showing. Specifically, the TTL is different. Does anybody know what could be causing this? Even better, does anybody know how to prevent this? Edited November 15, 2003 by jasonbstubbs Quote
Administrators PlausiblyDamp Posted November 14, 2003 Administrators Posted November 14, 2003 How different is the TTL - is it higher or lower and how much is it out by? Are there any router / NAT devices between the sniffer and device / your code? Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
jasonbstubbs Posted November 14, 2003 Author Posted November 14, 2003 (edited) The sniffer gives a TTL of 128 on a icmp echo reply from a Windows XP machine which is what I would expect. Sockets is returning a TTL of 255, which is incidentally the TTL that I used when sending out the echo request but that was done using a different Socket instance. And the answer to your second question: the sniffer is Ethereal and is running on the same machine that is receiving the packets. The "pinger" and "pingee" are connected to the same switch. Edited November 14, 2003 by jasonbstubbs Quote
jasonbstubbs Posted November 15, 2003 Author Posted November 15, 2003 Okay. I checked with setting a TTL of 64 on the echo request and found that the reply I received had also had a TTL of 64, but the sniffer is still showing 128. Quote
jasonbstubbs Posted November 15, 2003 Author Posted November 15, 2003 Arggg. Never mind. In my class that holds an IP packet, I was initializing the header with some nice default values in the constructor. Unfortunately (or idiotically) that was overwriting the received packet's data. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.