tcpdump mailing list archives
Re: tcpdump ack why become more 6 bytes
From: Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Mon, 14 Sep 2020 20:48:25 -0700
--- Begin Message --- From: Guy Harris <gharris () sonic net>
Date: Mon, 14 Sep 2020 20:48:25 -0700
This is not a security issue; questions about tcpdump should be sent to tcpdump-workers () lists tcpdump org, which is where I'm sending this question. On Sep 14, 2020, at 8:22 PM, Accepted <532876692 () qq com> wrote:hi, in this picture, I try to use tcpdump to get package when a new connection become. but in three handshakes,the last ack why added more 6 bytes?If that's Ethernet traffic, it's Ethernet padding. An ACK-only TCP-over-IPv4 packet with no IP or TCP options has 20 bytes of IP header (the "45" at the beginning of the IP header says "IPv4, with a 20-byte header), 20 bytes of TCP header, and no TCP payload, for a total of 40 bytes. The Ethernet header is an additional 14 bytes, for a total of 54 bytes. An Ethernet packet has a minimum size of 64 bytes, including the 4-byte CRC at the end of the packet; the CRC is normally not captured, so it doesn't show up in tcpdump. The ACK-only packet must therefore have 6 bytes of padding before the 4-byte CRC, to be 64 bytes long.
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Re: tcpdump ack why become more 6 bytes Guy Harris via tcpdump-workers (Sep 14)