Snort mailing list archives
Re: diff between IpLen and DgmLen?
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 13 Aug 2002 12:32:01 -0400
Anyone more code-involved with snort feel free to correct me, but I'm interpreting all these lengths as the ones right out of the packet headers, which appears to be correct.
dgmlen should be the TOTAL length, inclusive of all IP headers and all higher-layer protocol headers (ie: tcp). tcplen is the length of the TCP header.
so in summary:dgmlen - total packet length as seen by the IP layer, inclusive of IP header, any higher layer headers, and the payload.
iplen - the IP header length.tcplen - the TCP header length (only applies to TCP/IP traffic, not UDP or ICMP, obviously)
also note that "payload" is really relative to what layer you are talking about. For example at the ethernet layer, IP headers are part of the payload.
Assuming you're talking "application layer payload available to read from a socket after a TCP/IP stack processes it" payload len should be as follows:
for IP packets carrying tcp segments:
payload = dgmlen - iplen - tcplen
for IP packets carrying udp packets
payload = dgmlen -iplen - 8 (udp header is always 8 bytes).
and as a more complicated example.. ICMP echos (reply or request):
payload = dgmlen -iplen - 4 (ICMP header) - 8 byte (echo request)
At 03:09 PM 8/13/2002 +0800, you wrote:
is dgmlen the payload length? Thansk Sam ----- Original Message ----- From: "Matt Kettler" <mkettler () evi-inc com> To: "SW" <s.wun () thales-is com hk>; <snort-users () lists sourceforge net> Sent: Tuesday, August 13, 2002 12:22 PM Subject: Re: [Snort-users] diff between IpLen and DgmLen? > IpLen (20 in most cases where no IP options are specifed) is the IP header > length. IP header options are rarely used, unlike TCP options which are > quite common. Very few routers will honor IP header options like > source-route nowdays. > > dgmlen is the total datagram (packet) length. > > Both values are contained in the IP header of all packets. the IPLen is a > 4-bit value and is in increments of 4 bytes (ie, max header length = 15*4 = > 60), the dgmlen is a 16bit field in bytes. > > At 11:41 AM 8/13/2002 +0800, SW wrote: > >Hi, > > > >I found there are two diffferent length in each msg in the alert file. > >What is the difference between IpLen and DgmLen? > > > >Thanks > >SW > >
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- diff between IpLen and DgmLen? SW (Aug 12)
- Re: diff between IpLen and DgmLen? Matt Kettler (Aug 12)
- Re: diff between IpLen and DgmLen? SW (Aug 12)
- Re: diff between IpLen and DgmLen? SW (Aug 13)
- Re: diff between IpLen and DgmLen? Matt Kettler (Aug 13)
- Re: diff between IpLen and DgmLen? Matt Kettler (Aug 12)