tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IP length vs IP6 length inconsistency

From: Pekka Savola <pekkas () netcore fi>
Date: Wed, 29 Aug 2007 13:57:28 +0300 (EEST)
There was no follow-up to this.  Was there a conclusion (yet) ?

---------- Forwarded message ----------
Date: Wed, 8 Aug 2007 07:04:59 +0300 (EEST)
From: Pekka Savola <pekkas () netcore fi>
Reply-To: tcpdump-workers () lists tcpdump org
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] IP length vs IP6 length inconsistency (fwd)

On Tue, 7 Aug 2007, Hannes Gredler wrote:

>   Is the length intended to print out the whole IP packet length (which in
>   the case of v6 would probably require chasing down the extension header
>   chain) or whatever IP header's "next header length" reports?

 its works the other way around ... you get passed in the L2 length and
 deduct the IP{4,6} header size and print that
I'm not 100% sure I understand that but the code below certainly doesn't do that.
In the first case, "length 60" is printed, and the IP packet is 60 bytes long. In this case, this certainly isn't L2 length minus the IP header size.
In the second case, "length 40" is printed, but the IP6 packet is 80 bytes long. 


>   I believe users are looking for the whole IP packet length.

 can you clarify what you understanding of "whole" is ?
 if you want to see the L2 length then turn on the -e flag.
What I'd at least be interested in seeing is the length of the IP packet. If I use -e, I get the length of L2 packet, where I must know how many bytes to deduct to get IP length. I'd also be OK if tcpdump only printed the length of payload (not including the IP header) if it did that consistently -- I know how many bytes IP{,6} header takes so I can add that if necessary..
> 15:48:59.011531 IP (tos 0x10, ttl 64, id 2928, offset 0, flags [DF], > proto > TCP (6), length 60) 193.166.2.166.48849 > 193.94.160.1.26: S, cksum > 0xa1ba 
>   (correct), 3306383735:3306383735(0) win 5840 <mss 1460,sackOK,timestamp
>   441344519 0,nop,wscale 4>
>            0x0000:  4510 003c 0b70 4000 4006 0990 c1a6 02a6
>            0x0010:  c15e a001 bed1 001a c513 6977 0000 0000
>            0x0020:  a002 16d0 a1ba 0000 0204 05b4 0402 080a
>            0x0030:  1a4e 6207 0000 0000 0103 0304
> > 15:49:06.442127 IP6 (hlim 64, next-header: TCP (6), length: 40) 
>   2001:708:10:10:209:6bff:fea0:47de.38549 > 2001:708::1.26: S, cksum 0xf9d5
>   (correct), 2146010385:2146010385(0) win 5760 <mss 1440,sackOK,timestamp
>   441351950 0,nop,wscale 4>
>            0x0000:  6000 0000 0028 0640 2001 0708 0010 0010
>            0x0010:  0209 6bff fea0 47de 2001 0708 0000 0000
>            0x0020:  0000 0000 0000 0001 9695 001a 7fe9 8511
>            0x0030:  0000 0000 a002 1680 f9d5 0000 0204 05a0
>            0x0040:  0402 080a 1a4e 7f0e 0000 0000 0103 0304
>
 -
 This is the tcpdump-workers list.
 Visit https://cod.sandelman.ca/ to unsubscribe.



--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: