DbgPrint Port number %hu

Charlie_Benger-Stevenson · December 4, 2008, 2:14pm

I am receiving packets in callouts in a WFP firewall I am testing. The port values are UINT16, and as they are coming from the networking functions they are bigendian values.

I have reversed the endians using RtlUshortByteSwap, and am using DbgPrint with the %hu token to debug the network 5 tuple values so I can start building up a pattern of what is going on. All is well except the port numbers are printing out a little garbled.

Example

LocalIP,LocalPort,RemoteIP,RemotePort
192.168.1.5,61395,192.168.1.1,13568
192.168.1.5,16832,64.233.183.103,20480

Now I have been running this back to back with wireshark and I can tell you that the first entry is a DNS request between host and router, and the second is an SYN to establish a TCP connection on port 80 to the host ip returned by the DNS request in 1.

So for example the second row, the remoteport is 80 but prints 20480.

Any ideas what I could be doing wrong?

OSR_Community_User · December 4, 2008, 2:21pm

20480 is 0x5000 which is port 80 byte swapped.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.co.uk
Sent: Thursday, December 04, 2008 2:13 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] DbgPrint Port number %hu

I am receiving packets in callouts in a WFP firewall I am testing. The port
values are UINT16, and as they are coming from the networking functions they
are bigendian values.

I have reversed the endians using RtlUshortByteSwap, and am using DbgPrint
with the %hu token to debug the network 5 tuple values so I can start
building up a pattern of what is going on. All is well except the port
numbers are printing out a little garbled.

Example

LocalIP,LocalPort,RemoteIP,RemotePort
192.168.1.5,61395,192.168.1.1,13568
192.168.1.5,16832,64.233.183.103,20480

Now I have been running this back to back with wireshark and I can tell you
that the first entry is a DNS request between host and router, and the
second is an SYN to establish a TCP connection on port 80 to the host ip
returned by the DNS request in 1.

So for example the second row, the remoteport is 80 but prints 20480.

Any ideas what I could be doing wrong?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Mark_S_Edwards · December 4, 2008, 2:22pm

Why are you asking questions like this ? They’re nothing to do with
NT development, they are simple data representation questions that
show you have no clue about computers, otherwise you would have tried
and seen the bleeding obvious.

To provide a clue -

What is the hex representation of 20480 ? Answer 0x5000 - what do
you get if you swap this value ? Answer 0x00500 - which in decimal is ???

Or what is the hex representation of 13568 ? Answer 0x3500 - what do
you get if you swap this value ? Answer 0x0035 - which in decimal is ???

At 19:13 04/12/2008, xxxxx@yahoo.co.uk wrote:

I am receiving packets in callouts in a WFP firewall I am testing.
The port values are UINT16, and as they are coming from the
networking functions they are bigendian values.

I have reversed the endians using RtlUshortByteSwap, and am using
DbgPrint with the %hu token to debug the network 5 tuple values so I
can start building up a pattern of what is going on. All is well
except the port numbers are printing out a little garbled.

Example

LocalIP,LocalPort,RemoteIP,RemotePort
192.168.1.5,61395,192.168.1.1,13568
192.168.1.5,16832,64.233.183.103,20480

Now I have been running this back to back with wireshark and I can
tell you that the first entry is a DNS request between host and
router, and the second is an SYN to establish a TCP connection on
port 80 to the host ip returned by the DNS request in 1.

So for example the second row, the remoteport is 80 but prints 20480.

Any ideas what I could be doing wrong?

Charlie_Benger-Stevenson · December 4, 2008, 2:27pm

Bad day Mark?

Michal_Vodicka-2 · December 4, 2008, 3:28pm

Mark is right. This list is for NT driver developers and some basic
knowledge and experience is presumed.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.co.uk
Sent: Thursday, December 04, 2008 8:26 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] DbgPrint Port number %hu

Bad day Mark?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer

Lyndon_J_Clarke-2 · December 4, 2008, 3:49pm

RtlUshortByteSwap

wrote in message news:xxxxx@ntdev…
>I am receiving packets in callouts in a WFP firewall I am testing. The port
>values are UINT16, and as they are coming from the networking functions
>they are bigendian values.
>
> I have reversed the endians using RtlUshortByteSwap, and am using DbgPrint
> with the %hu token to debug the network 5 tuple values so I can start
> building up a pattern of what is going on. All is well except the port
> numbers are printing out a little garbled.
>
> Example
>
> LocalIP,LocalPort,RemoteIP,RemotePort
> 192.168.1.5,61395,192.168.1.1,13568
> 192.168.1.5,16832,64.233.183.103,20480
>
> Now I have been running this back to back with wireshark and I can tell
> you that the first entry is a DNS request between host and router, and the
> second is an SYN to establish a TCP connection on port 80 to the host ip
> returned by the DNS request in 1.
>
> So for example the second row, the remoteport is 80 but prints 20480.
>
> Any ideas what I could be doing wrong?
>
>
>

Lyndon_J_Clarke-2 · December 4, 2008, 6:09pm

Hello suityou01

I appreciate my previous post might have been a little over-brief and
perhaps not all that clear for you. Luckily, I’ve just found a recent thread
here on ntdev which happens to contain all of the technical information you
need to solve your problem here - and some! Here’s the url
http://www.osronline.com/showThread.cfm?link=143010 I’d guess the posts
which will help you the most are found at the end of the thread.

Good Luck
Lyndon

wrote in message news:xxxxx@ntdev…
>I am receiving packets in callouts in a WFP firewall I am testing. The port
>values are UINT16, and as they are coming from the networking functions
>they are bigendian values.
>
> I have reversed the endians using RtlUshortByteSwap, and am using DbgPrint
> with the %hu token to debug the network 5 tuple values so I can start
> building up a pattern of what is going on. All is well except the port
> numbers are printing out a little garbled.
>
> Example
>
> LocalIP,LocalPort,RemoteIP,RemotePort
> 192.168.1.5,61395,192.168.1.1,13568
> 192.168.1.5,16832,64.233.183.103,20480
>
> Now I have been running this back to back with wireshark and I can tell
> you that the first entry is a DNS request between host and router, and the
> second is an SYN to establish a TCP connection on port 80 to the host ip
> returned by the DNS request in 1.
>
> So for example the second row, the remoteport is 80 but prints 20480.
>
> Any ideas what I could be doing wrong?
>
>
>