Re: Something about how to determine what is real data?(with padding "00")

[Joerg Mayer <jmayer () loplof de>]

On Fri, Aug 09, 2013 at 05:53:08PM +0800, 蔡光宗 wrote:
>        I am study how to get the data via TCP, but I met some problems.
> When I use Wireshark to do some test, I find the reason and I don’t know
> how you solved it ?
>
>        When the packet’s length is bigger than 64Bytes, it has no problem.
> Ican use the formula() to calculate the length of the real data.
>
> But when the length is smaller than 64Bytes, the router will pad some “00”
> to the end of the packet and than send them out.Just like this:
>
> But why the padding data is belongs to the Ethernet II Layer ?(It is placed
> at the end of the packet.)
>
> Can you give me some suggestions or tips about this situation ?(Explain why
> the padding data are placed at the end of the packet but belongs to the
> EthernetII, and how to determine what is real data?)

In case the length of the Ethernet frame is 64 (60 in case the frame has been
captured without FCS), the way to determine where tcp data ends and Ethernet
padding begins is to look at the IP header that is located between Ethernet
and TCP header. The IP header has a field called total length, which in the
case of TCP is the sum of IP-header, TCP-header, TCP-data.

 Ciao
      Jörg
-- 
Joerg Mayer                                           <jmayer () loplof de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe