Does the Ethernet packet header length displayed by tcpdump include the size of the IP packet as well as the data contained ?
Asked
Active
Viewed 8,176 times
1 Answers
1
When you use the -e option may get three lengths as shown below. The first length is the length of the IP packet including the TCP packet; the second is the length of the TCP packet including the header and data; and the third is the length of the data contained in the TCP packet.
23:07:10.621602 xx:xx:xx:xx:xx:xx > yy:yy:yy:yy:yy:yy, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 24031, offset 0, flags [DF], proto TCP (6), length 40)
192.0.2.12.63357 > 192.168.0.8.25: Flags [R.], cksum 0x7e4c (correct), seq 1, ack 48, win 0, length 0
BillThor
- 27,737
- 3
- 37
- 69
-
Yes, so taking your above example does it mean that the length of the Ethernet packet ie: 60 (in your example), already include the length of the IP packet ie: 40 ? – termcap Oct 17 '16 at 05:20
-
1@termcap Yes. I believe ISO mapping is: the size 60 is the size in Layer 3 (IP) packet; the size 40 is the size in Layers 4 (TCP) packet, and the size 0 is the data size for Layers 5+. Lower level packet sizes include the size of inner packets. Ethernet headers are 14 bytes long. UDP headers are 8 bytes. so you can verify with a UDP capture. – BillThor Oct 17 '16 at 19:13
-
When I do a capture of UDP data with -e I only get two lengths, so can I assume that the size of data is contained in the second length itself, example: `07:41:59.244536 In 44:1e:a1:3e:22:6c (oui Unknown) ethertype IPv4 (0x0800), length 91: (tos 0x0, ttl 64, id 22241, offset 0, flags [none], proto UDP (17), length 75) 30.10.12.14.snmp > 30.10.12.10.47860: [udp sum ok] { SNMPv1 { GetResponse(32) R=416488035 25.2.3.1.6.32=2 } } 0x0000: 4500 004b 56e1 0000 4011 cf95 1e0a 0c0e` – termcap Oct 18 '16 at 04:50