Can someone please explain why maximum legal size of ICMP echo packet is calculated as follows:
65535 - 20 - 8 = 65507
Thanks.
65535 bytes is the maximum allowed size of a IPv4 network packet, while 20 and 8 are the sizes of the IP and ICMP headers, which leaves up to 65507 bytes for the ICMP data.
Related
I am pretty new to network traffic. I am trying to get the size of data transferred every second in the internet traffic. I downloaded one pcap file, and I'm using tcpdump to analyze it. By running
tcpdump -tttt -v -r sample.pcap
I get some records like below:
21:00:00.539514 IP (tos 0x0, ttl 118, id 0, offset 0, flags [none], proto ICMP (1), length 32)
111.195.18.190 > host-203-203-22-140.net: ICMP echo reply, id 11884, seq 4803, length 12
According to the tutorial (http://packetpushers.net/masterclass-tcpdump-interpreting-output/), the first length (32) is the entire IP packet length, and the second length (12) is the TCP packet length.
I want to know how much data transferred between two hosts. Which one should I use, IP length, TCP length or something else?
An application data (maybe a video, a message, a picture, etc) is sent with a few headers of lower layers (TCP header (layer 4), IPv4 header (layer 3), Ethernet header (layer 2), etc.).
A TCP packet is an application data + TCP header, an IPv4 packet is a TCP packet + an IPv4 header, and so.
IP packet length is TCP packet length + IP header length. This is why the first length and the second length are different.
Headers may be changed by network devices between the two hosts and so it's no way to think about how much data transferred between the two.
If you want to know the length of each packet in the pcap file, run tcpdump -e -r sample.pcap and see the first length of each line.
I'm writing a program to analyze network traffic.
Therefore I want to check the ICMP Type 30 (traceroute). I can't find a pcap file for this case. If I traceroute some website with cmd (traceroute stackoverflow.com), I get only ICMP type 0, 3, 8 and 11.
How can I get a pcap file with traceroute type 30?
ICMP Type 30 is deprecated.
Traceroute programs send either ICMP echo requests (type 8) or UDP packets. The packets are sent with low TTL values, triggering routers to respond with ICMP type 11 (Time Exceeded) packets.
I have a lot of pcap files
in each pcap file there are some tcp packets
I want to the following steps:
1 filter the pcap file to get expected tcp packets(if with tshark, the filter is like tcp.srcport==80 and tcp.dstport==20000). The tcp data in each tcp packet are of tens of bytes,
1) the first 2 bytes are sequence number
2) the second 2 bytes indicate a length: **n**
3) the following **n** bytes are random (if **n** is 2, then there are 2 random bytes)
4) immediately after the **n** bytes is an IP address
2 from each tcp packet, I want to get the source IP and the IP address string as mentioned in 4)
Above all, I just want to get an IP pair from each tcp packet, the source IP is easy to be obtained from tshark, but the IP address in the tcp data needs some effort
are there any good source code snippets or good ways that can be used for my target?
thanks!
Or: What is the maximum payload size for a TCP/IPv4 packet.
Much appreciated!
Cheers.
The MTU of an IP packet is the entire packet, including all IP and higher level headers (such as TCP headers) and payload. Lower level headers (such as Ethernet frames) are not included since they're not IP's concern. However the actual MTU value is influenced by the lower levels, as there's usually a limit, and IP has to stick to it.
MTU = IP Header + Tcp Segment
MSS = Data(doesn't include TCP header)
How do you get the maximum number of bytes that can be passed to a sendto(..) call for a socket opened as a UDP port?
Use getsockopt(). This site has a good breakdown of the usage and options you can retrieve.
In Windows, you can do:
int optlen = sizeof(int);
int optval;
getsockopt(socket, SOL_SOCKET, SO_MAX_MSG_SIZE, (int *)&optval, &optlen);
For Linux, according to the UDP man page, the kernel will use MTU discovery (it will check what the maximum UDP packet size is between here and the destination, and pick that), or if MTU discovery is off, it'll set the maximum size to the interface MTU and fragment anything larger. If you're sending over Ethernet, the typical MTU is 1500 bytes.
On Mac OS X there are different values for sending (SO_SNDBUF) and receiving (SO_RCVBUF).
This is the size of the send buffer (man getsockopt):
getsockopt(sock, SOL_SOCKET, SO_SNDBUF, (int *)&optval, &optlen);
Trying to send a bigger message (on Leopard 9216 octets on UDP sent via the local loopback) will result in "Message too long / EMSGSIZE".
As UDP is not connection oriented there's no way to indicate that two packets belong together. As a result you're limited by the maximum size of a single IP packet (65535). The data you can send is somewhat less that that, because the IP packet size also includes the IP header (usually 20 bytes) and the UDP header (8 bytes).
Note that this IP packet can be fragmented to fit in smaller packets (eg. ~1500 bytes for ethernet).
I'm not aware of any OS restricting this further.
Bonus
SO_MAX_MSG_SIZE of UDP packet
IPv4: 65,507 bytes
IPv6: 65,527 bytes