tcpdump mailing list archives
Re: libpcap and ip_len
From: Andrew Brown <atatat () atatdot net>
Date: Wed, 21 May 2003 23:49:55 -0400
Sorry for the simple question. I am having some trouble (I think) accessing the ip_len value in the ip header. I am monitoring ftp transfers on 10 Ethernet and these are my results (x86 RH8): printf("%d %d\n", iphdr->ip_len, (int)ntohs(iphdr->ip_len)); Output: 10240 40 Is fragmentation skewing the length in bytes? I know the max size of an IP datagram is 65535, but Ethernet is 1500. Is it that the packet is already pieced back together by the time my app gets to it? Or are each of these ftp packets 40 bytes? When I tally the transfer 10240 is the only 'possibility' but my numbers dont correspond to the values shown from the FTP output.
40 bytes is a perfectly good ip_len for a pure ack, with no tcp options. what does the payload in the ip packet look like? -- |-----< "CODE WARRIOR" >-----| codewarrior () daemon org * "ah! i see you have the internet twofsonet () graffiti com (Andrew Brown) that goes *ping*!" werdna () squooshy com * "information is power -- share the wealth." - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- libpcap and ip_len Allison, Jason (JALLISON) (May 22)
- Re: libpcap and ip_len Andrew Brown (May 22)
- <Possible follow-ups>
- RE: libpcap and ip_len Allison, Jason (JALLISON) (May 22)