UINT16 query

What exactly is being displayed when you use %hu?

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 4:55 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

Wow, lots of cross fire.

As I said before, I am no further forward. I have swapped bytes around using
RtlUShortByteSwap and someone helpfully posted that DbgPrint and printf are
the same function (yawn). Still I NEED someone to go to the try line and
stop speaking in riddles.

I posted code

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

And someone pointed out that i is for signed integers. But noone actually
posted how to correctly DbgPrint a UINT16. That is really all Im asking. The
big endian to little endian byte swapping was a big steer I’m sure.

I remember 2’s complement from years ago, but do we really have to go bit
flipping? Surely to close this thread off someone just needs to dump some
code that will work.

I have recently tried

DbgPrint (“The local port is %hu \n”,RtlUShortByteSwap(packet->localPort));

I am expecting to see port 80, as it is a browser I am using to generate the
packets.

Thanks

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

You earlier posted the structure that you were using and said something
about the packet inspection sample. What sample is that? Where does that
structure get it’s data?

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 4:55 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

Wow, lots of cross fire.

As I said before, I am no further forward. I have swapped bytes around using
RtlUShortByteSwap and someone helpfully posted that DbgPrint and printf are
the same function (yawn). Still I NEED someone to go to the try line and
stop speaking in riddles.

I posted code

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

And someone pointed out that i is for signed integers. But noone actually
posted how to correctly DbgPrint a UINT16. That is really all Im asking. The
big endian to little endian byte swapping was a big steer I’m sure.

I remember 2’s complement from years ago, but do we really have to go bit
flipping? Surely to close this thread off someone just needs to dump some
code that will work.

I have recently tried

DbgPrint (“The local port is %hu \n”,RtlUShortByteSwap(packet->localPort));

I am expecting to see port 80, as it is a browser I am using to generate the
packets.

Thanks

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

1. Dude, how about showing us the code followed by the output

2. Also, dump the structure using ‘dt’ in WinDbg. I don’t remember what it’s called (let’s say
   it’s called ‘INFO’, your module is named ‘yourmodule,’ and the structure is located at VA in memory):
   dt -b -v yourmodule!INFO
   
   3. In addition, dump it using all of the following:
   a. db
   b. dw
   c. dd
   4. Have you considered adding code to permute some of these options and see what you get - that is,
   dump it as a integer, as an unsigned integer, et. c.
   
   mm
   
   xxxxx@yahoo.co.uk wrote:
   > Wow, lots of cross fire.
   >
   > As I said before, I am no further forward. I have swapped bytes around using RtlUShortByteSwap
   > and someone helpfully posted that DbgPrint and printf are the same function (yawn). Still I NEED someone to go to the try line and stop speaking in riddles.
   >
   > I posted code
   >
   > DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));
   >
   > And someone pointed out that i is for signed integers. But noone actually posted how to correctly DbgPrint a UINT16. That is really all Im asking. The big endian to little endian byte swapping was a big steer I’m sure.
   >
   > I remember 2’s complement from years ago, but do we really have to go bit flipping? Surely to close this thread off someone just needs to dump some code that will work.
   >
   > I have recently tried
   >
   > DbgPrint (“The local port is %hu \n”,RtlUShortByteSwap(packet->localPort));
   >
   > I am expecting to see port 80, as it is a browser I am using to generate the packets.
   >
   > Thanks
   >

After swapping bytes I get 14334

The nightmare is that I don’t know for sure that this is port 80, wireshark of course shows dns and arp packets as well. All I knows is 14334 is wrong wrong wrong. If I started seeing arp,dns and http ports then I would know I have it cracked.

Since your original question was about the correct DbgPrint format, %hi,
%hu, %u, %d, %i, should all give you the same result as long as port is
defined as a ushort. A ushort will be pushed on the stack with zeros as the
upper 16 bits. I always use %d or %x when printing ports.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 4:55 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

Wow, lots of cross fire.

As I said before, I am no further forward. I have swapped bytes around using
RtlUShortByteSwap and someone helpfully posted that DbgPrint and printf are
the same function (yawn). Still I NEED someone to go to the try line and
stop speaking in riddles.

I posted code

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

And someone pointed out that i is for signed integers. But noone actually
posted how to correctly DbgPrint a UINT16. That is really all Im asking. The
big endian to little endian byte swapping was a big steer I’m sure.

I remember 2’s complement from years ago, but do we really have to go bit
flipping? Surely to close this thread off someone just needs to dump some
code that will work.

I have recently tried

DbgPrint (“The local port is %hu \n”,RtlUShortByteSwap(packet->localPort));

I am expecting to see port 80, as it is a browser I am using to generate the
packets.

Thanks

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Ok.

Example is C:\WinDDK\6001.18001\src\network\trans\inspect

There is a function in utils.c call AllocateAndInitializePendedPacket.

It already does the byteswapping for you, so all I need to know is how to DbgPrint it correctly so I can see what is happening.

This is the local port on the http server or on the client that is
communicating with the http server?

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 5:15 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

After swapping bytes I get 14334

The nightmare is that I don’t know for sure that this is port 80, wireshark
of course shows dns and arp packets as well. All I knows is 14334 is wrong
wrong wrong. If I started seeing arp,dns and http ports then I would know I
have it cracked.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

That was indeed the original question, thanks
It is a UINT16. If this is the same as a USHORT (which someone on here suggests) then I agree with you. However the ports I would expect are the domestic DNS,ARP,HTTP and this is not what I am getting.

So far I have tried

%d
%hi
%hu

Client. Thanks.

If this is the local port on the client then the port will not be 80 and can
very well be 14334. The remote port should be 80.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 5:23 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

Client. Thanks.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

You could save a lot of your own time if you use google
http://msdn.microsoft.com/en-us/library/ms792790.aspx

wrote in message news:xxxxx@ntdev…
> Ok.
>
> Example is C:\WinDDK\6001.18001\src\network\trans\inspect
>
> There is a function in utils.c call AllocateAndInitializePendedPacket.
>
> It already does the byteswapping for you, so all I need to know is how to
> DbgPrint it correctly so I can see what is happening.
>
>
>

I’ll debug that output. I must admit I’m stunned. For my money, HTTP was a port 80 protocol. The fact that my browser could be using another port suprises me greatly. Off to do some more googling to substantiate this.

You should start by learning TCP/IP basics. You’re wasting you time at the
moment.

wrote in message news:xxxxx@ntdev…
> I’ll debug that output. I must admit I’m stunned. For my money, HTTP was a
> port 80 protocol. The fact that my browser could be using another port
> suprises me greatly. Off to do some more googling to substantiate this.
>
>
>

> I remember 2’s complement from years ago, but do we really have to go bit

flipping? Surely to close this thread off someone just needs to dump some
code that will work.

This isnt a paid for support service ticket, and frankly I’m amazed you’re
getting such helpful answers here from this specialist group, for such
beginner level C programming questions.

Lyndon,

You have been precisely 0/6 help all evening. Of course I use google ffs. I have persisted with this as I dumped one line of code, and said what’s wrong with it? Postulation and sniping aside there has been a few people who have been (IMVHO) helpful. You are not one of them.

It is late here so I’m off to bed.

xxxxx@yahoo.co.uk wrote:

I’ll debug that output. I must admit I’m stunned. For my money, HTTP was a port 80 protocol. The fact that my browser could be using another port suprises me greatly. Off to do some more googling to substantiate this.

The browser makes a request to talk to port 80 on the server. However,
a TCP port has a socket on both ends, and the client end gets a random
port number in the upper part of the range.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Complete and utter rubbish.

I told you how to find out what format to use for DbgPrint.

I answered your question about comparision of int with unsigned short.

These were your questions in your original post, both of which were answered
my original reply.

wrote in message news:xxxxx@ntdev…
> Lyndon,
>
> You have been precisely 0/6 help all evening. Of course I use google ffs.
> I have persisted with this as I dumped one line of code, and said what’s
> wrong with it? Postulation and sniping aside there has been a few people
> who have been (IMVHO) helpful. You are not one of them.
>
> It is late here so I’m off to bed.
>

Persisted? I don’t know, Dude - there’s just something wrong with requiring 37 posts to convince
you that you don’t know what the fuck you’re doing on any number of levels. There’s no shame in the
not knowing, but I guess what some of us are trying to express is that it would be nice if you
didn’t pretty much make us beg to help you, but instead considered providing the information that
was requested, when it was requested. Had you, it’s not like it would have been all that difficult
to figure out that you’re assumption about the port number was incorrect.

You are absolutely correct (in my opinion) that this thread included a bunch of noise that had
nothing to do with your problem and certainly did not appear to have been presented as ‘help,’ but
this is pretty much part for the course here, and no matter how obliquely you approach it, the net
result of six hours of work on the part of multiple volunteers was that you finally provided enough
information to make the determination that you didn’t understand problem domain and consequently had
been looking for the wrong thing all along.

Ideally I think most of us would like to be a little more productive than this.

Thank you for your consideration,

mm

Lyndon J Clarke wrote:

Complete and utter rubbish.

I told you how to find out what format to use for DbgPrint.

I answered your question about comparision of int with unsigned short.

These were your questions in your original post, both of which were answered
my original reply.

wrote in message news:xxxxx@ntdev…
>> Lyndon,
>>
>> You have been precisely 0/6 help all evening. Of course I use google ffs.
>> I have persisted with this as I dumped one line of code, and said what’s
>> wrong with it? Postulation and sniping aside there has been a few people
>> who have been (IMVHO) helpful. You are not one of them.
>>
>> It is late here so I’m off to bed.
>>
>
>
>

The reason why I specified that you should look at the standard printf dcumentation is so that the next time you have a similar question, you will know where to go to answer it yourself. This will produce a faster response, and it’s generally a beneficial programmer skill anyway. Who knows, maybe one day you’ll take the knowledge you have gained and use it to help answer someone else’s question, maybe even on a list like this.

Think of it as a “teach a man to fish” kind of thing.

Let’s think this through logically, though. If you are not seeing the right fomatted data, the possibilities are likely along the lines of:

• You are formatting it incorrectly. For example, printing the wrong byte order or treating an unsigned quantity as a signed one.

• You are formatting the wrong data. This is not something we can help you with given the available information (psychic debugging has its limits) if it turns out to be the case. If you have exhausted all the possibilities of wrong formatting, this is where I would look next. If you have already tried %hu and verified that you are using the correct endian, then the variable where you are getting your data from likely really does not have the correct port number after all due to a bug in your code (which we cannot see).

• S

-----Original Message-----
From: xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 15:53
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

Wow, lots of cross fire.

As I said before, I am no further forward. I have swapped bytes around using RtlUShortByteSwap
and someone helpfully posted that DbgPrint and printf are the same function (yawn). Still I NEED someone to go to the try line and stop speaking in riddles.

I posted code

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

And someone pointed out that i is for signed integers. But noone actually posted how to correctly DbgPrint a UINT16. That is really all Im asking. The big endian to little endian byte swapping was a big steer I’m sure.

I remember 2’s complement from years ago, but do we really have to go bit flipping? Surely to close this thread off someone just needs to dump some code that will work.

I have recently tried

DbgPrint (“The local port is %hu \n”,RtlUShortByteSwap(packet->localPort));

I am expecting to see port 80, as it is a browser I am using to generate the packets.

Thanks

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

xxxxx@yahoo.co.uk wrote:

Lyndon,

You have been precisely 0/6 help all evening. Of course I use google ffs. I have persisted with this as I dumped one line of code, and said what’s wrong with it? Postulation and sniping aside there has been a few people who have been (IMVHO) helpful. You are not one of them.

It is late here so I’m off to bed.

Interesting. Your question is timed at 5.33 PM on my system, and
Lyndon’s first reply is timed at 5.51.

You asked for the correct formatting string to use with DbgPrint,
suggesting inability to read documentation. Lyndon answered that it was
the same as printf, answering the core question for someone too lazy to
look up DbgPrint, and providing more than enough information for someone
who wasn’t lacking in C skills. Most of those whose C skills don’t
extend to knowing the printf formats would then think of looking at its
documentation.

You asked how to compare a UINT16 to an int, wondering about a cast, and
demonstrating a remarkable lack of self-help skills, or of C skills, or
of both. Despite the gob-smacking nature of the question, Lyndon’s first
message gave you a full answer. He reminded you that a UINT16 is an
‘unsigned short’ just in case you’d forgotten that since you looked it
up in the header files.

He even gave you a hint about byte-ordering though you didn’t ask
anything about that area. This risked him being considered patronizing
since no-one writing TCP/IP-related code should need to be told about
that, but all the same …

You owe Lyndon an apology for insulting him after he wasted his time
trying to help you.

Learning the basics of self-help (such as looking at header files and
documentation), C, and TCP/IP before tackling a network packet inspector
would probably help you get where you need to be more quickly. Learning
how to ask questions effectively would save time for you and others -
http://www.catb.org/~esr/faqs/smart-questions.html is an excellent
resource for this.