why does tcpdump shows 16 '0x00' bytes at the end of UDP packets？

Question

I use Tcpdump in different machine with different version. And i notice that there are 16 0x00 bytes at the end of UDP packets in a higher tcpdump version. AnyBody know why?

Machine A with

tcpdump version 4.1-PRE-CVS_2012_03_26

libpcap version 1.0.0

12:12:26.363084 IP 100.65.96.185.38431 > 10.100.71.207.54404: UDP, length 121
0x0000:  3897 d6b1 e3c1 5452 0092 f8ae 0800 4500  8.....TR......E.
0x0010:  0095 b0fd 4000 4011 722d 6441 60b9 0a64  ....@.@.r-dA`..d
0x0020:  47cf 961f d484 0081 17c0 2800 0000 0000  G.........(.....
0x0030:  0000 6f08 6412 6b08 0110 5318 0020 ebb1  ..o.d.k...S.....
0x0040:  d6b9 0730 a7f0 f7d2 0538 9891 b5d0 0a40  ...0.....8.....@
0x0050:  9891 b5d0 0a48 0172 3a0a 380a 1b08 0010  .....H.r:.8.....
0x0060:  a7f0 f7d2 0518 a4af e8e6 0e20 0028 0930  .............(.0
0x0070:  0038 8601 4000 4a00 1213 0a11 0a0f 6a61  .8..@.J.......ja
0x0080:  736f 6e2d 636f 6e66 2d74 6573 7412 044a  son-conf-test..J
0x0090:  0208 0080 0101 8801 0090 01b4 b3ee 7e98  ..............~.
0x00a0:  0101 29                                  ..)

Machine B with

tcpdump version 4.5.1

libpcap version 1.5.3

12:12:26.353267 IP 100.65.96.185.38431 > 10.100.71.207.54404: UDP, length 121
0x0000:  4560 0095 b0fd 4000 3a11 77cd 6441 60b9  E`....@.:.w.dA`.
0x0010:  0a64 47cf 961f d484 0081 8065 2800 0000  .dG........e(...
0x0020:  0000 0000 6f08 6412 6b08 0110 5318 0020  ....o.d.k...S...
0x0030:  ebb1 d6b9 0730 a7f0 f7d2 0538 9891 b5d0  .....0.....8....
0x0040:  0a40 9891 b5d0 0a48 0172 3a0a 380a 1b08  .@.....H.r:.8...
0x0050:  0010 a7f0 f7d2 0518 a4af e8e6 0e20 0028  ...............(
0x0060:  0930 0038 8601 4000 4a00 1213 0a11 0a0f  .0.8..@.J.......
0x0070:  6a61 736f 6e2d 636f 6e66 2d74 6573 7412  jason-conf-test.
0x0080:  044a 0208 0080 0101 8801 0090 01b4 b3ee  .J..............
0x0090:  7e98 0101 2900 0000 0000 0000 0000 0000  ~...)...........
0x00a0:  0000 0000 00

That looks like a bug. If you look at the UDP length and the IP datagram length, the output should have ended at 0x95, which is the 0x29 byte. — David Hoelzer, Jan 19 '18 at 17:56

score 0 · Answer 1 · answered Jan 19 '18 at 17:58

0

That looks like a bug. If you look at the UDP length and the IP datagram length, the output should have ended at 0x95, which is the 0x29 byte.

The IP length in the packet is 0x0095, which is 149 bytes.

The UDP length is 0x0081, which is 129.

20 byte IP header + 129 bytes of UDP data brings us to 149, which matches 0x95. TCPDump should not be showing those last few bytes.

answered Jan 19 '18 at 17:58

David Hoelzer

15,862
4
48
67

By the way, have you looked at the same packets with Wireshark? I'm curious to see what it shows. There is a slim possibility that the ethernet framing is 802.2 and indicates that the data length from the ethernet frame's perspective is longer than what IP is set to. – David Hoelzer Jan 21 '18 at 15:15

why does tcpdump shows 16 '0x00' bytes at the end of UDP packets？

1 Answers1