I am capturing packets using libpcap. I am calculating the payload size as given here
size_payload = ntohs(ip->ip_len) - (size_ip + size_tcp);
Now, for a packet, size_payload is 1228, ethernet header is 14 bytes, IP header is 20 bytes, TCP header is 32 bytes. While header.caplen and header.len are 1514 bytes. Shouldn't size_payload+size_ip+size_tcp+size_ethernet be equal to header.caplen?
Also, when I dump the same packets using tcpdump, the capture length is shown as 1514. Why do these differ? I expected ntohs(ip->ip_len) to be equal to header.caplen and header.len
EDIT
I expected ntohs(ip->ip_len) to be equal to header.caplen and header.len. But what I find is ntohs(ip->ip_len) = 1280 and header.caplen = header.len = 1514
The caplen says how much of the packet may be captured, not necessarily how much actually was. You need to compare that value with the len field.
If caplen >= len you know that you should have the entire packet contents available. Otherwise, the packet capture has been truncated.
Related
two host A and B are communicating with each other using TCP. Assume that the sequence number field starts at 0 and the receiver employs cummulative ACK. A has successfully send 465 bytes of data which were also acked by B. Suppose A were now to send 3 segment of size 110, 40, 60 size. what sequence number will the third segment carry ??
This is very simple to work out, and it sounds a lot like a homework problem. I usually won't answer these, but...
Remember that the initial SYN consumes 1 byte in the connection. This means that the initial SYN with sequence number zero is ACKed as 1.
We now transfer 465 bytes. This means that the last sequence number ACKed will be 466, and 466 will now appear as the sequence number from A to B.
We now send 110 bytes. The sequence number in the packet will be 466 with a data payload of 110. The ACK will be for 576.
Following this, 40 more bytes are sent. This will have a sequence number of 576 in the packet with 40 bytes of payload and the ACK will be for 616.
That brings us to the last segment. The sequence number in the segment should be 616, as long as I've done the maths correctly in my head, and this is the sequence number in the packet that you are asking about. The ACK for that will be for 676.
what will happen when Total Length field value in IPv4 header is smaller than length of ethernet frame? How will behave a device when receive that kind of frame? Device recognized frame as invalid due to inconsistency and rejected it?
Second situation, max ethernet frame length is 1518 bytes - what will happen when I extend this frame and add additional 2 bytes. Assuming that IPv4 total length match length of extended frame.
Thanks.
The value of the Total Length field in an IPv4 header must be smaller than the frame length; anything else is a sign of corruption. The IPv4 packet is the payload of the frame, so the frame length is the total packet length plus the frame header and trailer.
I have a data of 25 bytes and would like to send it over a network. I would like to know how to calculate the minimum packet size if TCP is used over ipv4. All the net are exlaining it spearately only. I dont need to inculde the other protocaol or layer headers.
Thus i would like to what would be the size.
According to my research it is 20 TCP header + 20 ipv4 header + 25 bytes = 65 bytes is it correct ?
Neither TCP nor IP uses padding, so
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
TCP headers are 20 bytes (+ options) in length. TCP doesn't add any padding. If the data is 25 bytes, the TCP segment is 45 bytes or larger.
http://en.wikipedia.org/wiki/IPv4#Packet_structure
https://www.rfc-editor.org/rfc/rfc791#page-34
IPv4 headers are 20 bytes (+ options) in length. IPv4 doesn't add any padding. If the TCP frame is 45 bytes, the IPv4 packet is 65 bytes or larger.
Your results are correct.
Also,
http://www.infocellar.com/networks/ethernet/frame.htm
Ethernet headers are 14 bytes (assuming Ethernet2, not including the eight-byte preamble), and an ethernet frame ends with 4 bytes of CRC. Ethernet does not add any padding except to ensure a minimum of 64 bytes total. If the IPv4 packet is 65 bytes, the Ethernet frame is 83 bytes.
I have to calculate and verify checksums for IP packets (I am writing a router in C). The struct that represents an IP header has a 16 bit checksum but the total number of bits in the struct is not evenly divisible by 16 -- it is 8 bits short.
My question is this. Do I read the struct 16 bits at a time and pad the last set of bits with zeroes to calculate the checksum?
If you had the wrong number of bits, you would pad zero bits to the end of the data.
However, IP calculates over the header fields and thus always has a multiple of 16 bits on which to calculate the checksum. TCP sometimes needs an extra byte of zero at the end of the data.
http://en.wikipedia.org/wiki/IPv4_header_checksum
There is possible to use very big frames with some ethernet cards. One case is 9k frames or jumbo frame and other case is super jumbo frame (as i know, up to 64k).
What is format of frame used for such huge packets?
As I know, for normal frames two formats used widely:
Preamble Start_byte dest_mac src_mac Ethertype/length Payload CRC Interframe gap
10101010x7 10101011 6 bytes 6 bytes 2 bytes 46–1500 bytes 4 bytes 12 bytes
In one case, the ethertype is used for length, and in second - for packet type. If this field is < 0x0600 (decimal 1536 bytes), this is a length; if >= 0x0600 - it is a type.
So, it looks impossible to store 9000 in this field as length. How length of jumbo and super jumbo frames is stored?
The format used for jumbos is the same. Despite this description, the Ethertype field is not normally used to store a length. Normally in the Ethertype field, you will not see a length; you will see a type. Types are specified by IANA here:
https://www.iana.org/assignments/ieee-802-numbers
Usually you'll see one of the following types from the table:
Ethertype Exp. Ethernet Description References
---------------- -------------- -------------------- ----------
2054 0806 - - ARP [IANA]
2048 0800 513 1001 Internet IP (IPv4) [IANA]
86DD IPv6 [IANA]
There are two reasons this works:
The hardware sending the packet doesn't depend on the Layer 2 length field to know the Layer 1 length.
Some Layer 3 packets such as ARP have a known size (at least, for a known combination of hardware/protocol address length, such as Ethernet/IP where it is normally used). IPv4/IPv6 packets have a length field in their own header.