Return-Path: <dev-return-34662-archive-asf-public=cust-asf.ponee.io@drill.apache.org>
X-Original-To: archive-asf-public@eu.ponee.io
Delivered-To: archive-asf-public@eu.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by mx-eu-01.ponee.io (Postfix) with ESMTP id C1EAE180630
	for <archive-asf-public@eu.ponee.io>; Tue,  2 Jan 2018 17:54:33 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id B20B5160C26; Tue,  2 Jan 2018 16:54:33 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 0AC52160C1B
	for <archive-asf-public@cust-asf.ponee.io>; Tue,  2 Jan 2018 17:54:32 +0100 (CET)
Received: (qmail 8285 invoked by uid 500); 2 Jan 2018 16:54:32 -0000
Mailing-List: contact dev-help@drill.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@drill.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@drill.apache.org>
List-Post: <mailto:dev@drill.apache.org>
List-Id: <dev.drill.apache.org>
Reply-To: dev@drill.apache.org
Delivered-To: mailing list dev@drill.apache.org
Delivered-To: moderator for dev@drill.apache.org
Received: (qmail 58671 invoked by uid 99); 2 Jan 2018 06:42:27 -0000
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.997
X-Spam-Level: *
X-Spam-Status: No, score=1.997 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
	SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=mapr.onmicrosoft.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mapr.onmicrosoft.com;
 s=selector1-mapr-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=UBVDBHCRIC4GTiWw4DOA7xLtD8SM302jnHUGH3EhheI=;
 b=HePEsI3KDDYjQokBZROModsVL6sz8bxUDJSJCZA97IjFlfbdwTqJcj+M7tD3gzVPmcKHmuicj0Og2MHH5L70mSHLtPeP5lgOf/nlCE23rWFY9VXL6SowVMk1NmiNwbNcuPkPqYcLKIW52Ps9cbvr2bucz+aMYeUQD8A5cG7xIJM=
From: Ted Dunning <tdunning@mapr.com>
To: Charles Givre <cgivre@gmail.com>, "dev@drill.apache.org"
	<dev@drill.apache.org>
Subject: Re: PCAP Issues
Thread-Topic: PCAP Issues
Thread-Index: AQHTgz9+DABxndL1Sk2BD4MUhdr66aNgIOjF
Date: Tue, 2 Jan 2018 06:42:15 +0000
Message-ID: <CY4PR16MB1831883ED273DC1DA6F653DBBE190@CY4PR16MB1831.namprd16.prod.outlook.com>
References: <738E9DAE-18BB-4ECE-8EE3-13AF68863FF7@gmail.com>
In-Reply-To: <738E9DAE-18BB-4ECE-8EE3-13AF68863FF7@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=tdunning@mapr.com;
x-originating-ip: [73.170.34.162]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;CY4PR16MB1831;7:sjEfesR4s/xL/eDc0oBpHFBhUbrWSPZl0UOj0JkkReYAbqXg8VXjp+qGYy7wYvH0j0xrifj0pTGSTpdFK22j+c6uJ6yUI6IZt3CJRKmSqriJOjaKuMgMP5gA3lXgO1DU1odTt2HnzFaYWa94GLDMCRkqWtW0MpKpo5RdgJKF3ur02Z79PwRgDaBtaYqe/yZdJxDXkoSsyyi7b35xlgRN+6Q5OSxZVPVz1N9+ryA2lVpNDTZ1YkQNfMRMIV4a38Ce
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: ee09935b-c89d-4f21-80c6-08d551abf685
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060);SRVR:CY4PR16MB1831;
x-ms-traffictypediagnostic: CY4PR16MB1831:
x-microsoft-antispam-prvs: <CY4PR16MB18317941402F4BD094F1F966BE190@CY4PR16MB1831.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(125105977512284);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040470)(2401047)(5005006)(8121501046)(3231023)(944501075)(93006095)(93001095)(3002001)(10201501046)(6041268)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(6072148)(201708071742011);SRVR:CY4PR16MB1831;BCL:0;PCL:0;RULEID:(100000803101)(100110400095);SRVR:CY4PR16MB1831;
x-forefront-prvs: 0540846A1D
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39840400004)(396003)(346002)(376002)(39380400002)(366004)(199004)(189003)(53754006)(5890100001)(221733001)(59450400001)(54896002)(6506007)(53936002)(316002)(68736007)(3280700002)(66066001)(229853002)(9686003)(2501003)(53546011)(110136005)(81156014)(25786009)(8936002)(7736002)(33656002)(8676002)(81166006)(55016002)(7116003)(2950100002)(3660700001)(6436002)(5660300001)(77096006)(102836004)(3480700004)(99286004)(106356001)(19627405001)(2900100001)(14454004)(3846002)(105586002)(76176011)(6116002)(7696005)(2906002)(97736004)(74316002)(86362001)(39060400002)(6246003)(478600001)(6606003);DIR:OUT;SFP:1102;SCL:1;SRVR:CY4PR16MB1831;H:CY4PR16MB1831.namprd16.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
received-spf: None (protection.outlook.com: mapr.com does not designate
 permitted sender hosts)
x-microsoft-antispam-message-info: o727IZyQX8OonHD65wmjSdzrtTH4gzqAJrPzUNRA3Vq16Mwb/F9xGz9GBVICO5123cClX/pRm6CjkOuceUbZCA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative;
	boundary="_000_CY4PR16MB1831883ED273DC1DA6F653DBBE190CY4PR16MB1831namp_"
MIME-Version: 1.0
X-OriginatorOrg: mapr.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ee09935b-c89d-4f21-80c6-08d551abf685
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2018 06:42:15.9057
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2573c0c8-6f2a-4418-a58a-a742cf6415fb
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR16MB1831
archived-at: Tue, 02 Jan 2018 16:54:34 -0000

--_000_CY4PR16MB1831883ED273DC1DA6F653DBBE190CY4PR16MB1831namp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable


PacketConstants.ETHER_HEADER_LENGTH + getIPHeaderLength() +13 to get the wo=
rd that has the flags

Looks to me like


     getByte(raw, ipOffset + getIPHeaderLength() + 13)


is what you need. And this gets you the byte, not the word.
________________________________
From: Charles Givre <cgivre@gmail.com>
Sent: Monday, January 1, 2018 12:31:17 PM
To: dev@drill.apache.org
Cc: Ted Dunning
Subject: PCAP Issues

Hello all,
I was playing with the PCAP functionality in Drill and I wanted to add the =
TCP flags to the data that Drill is returning.  I was also interested in ad=
ding the TCP Sequence and Ack numbers as well.  I noticed that the code as =
written currently has a function in Packet.java which returns the TCP Seque=
nce number, however this was never added to the schema, so I added that and=
 rebuilt Drill, however, it doesn=92t seem to be returning the correct resu=
lt.  The file I was querying is attached to this email, and should in all c=
ases return a sequence number of zero.

Questions:
1.  Could someone please take a look at the code for the tcp_sequence and s=
ee if I did something wrong, or if the offset is not being calculated corre=
ctly
2.  I=92m trying to figure out the offsets for the various TCP flags.   I w=
ould think that the offset should be PacketConstants.ETHER_HEADER_LENGTH + =
getIPHeaderLength() +13 to get the word that has the flags and then from th=
ere, access the individual bits.  However, this doesn=92t seem to work.  Wh=
at am I missing?
Thanks and Happy New Year!
- C

--_000_CY4PR16MB1831883ED273DC1DA6F653DBBE190CY4PR16MB1831namp_--