tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: again: real packet size

From: George Bakos <gbakos () ists dartmouth edu>
Date: Wed, 30 Jul 2003 00:06:32 -0400
Nope. Not the right list. This is for techincal discussions of tcpdump and
libpcap code. You probably would have gotten quicker results by googleing
for tcp/ip mailing lists.

On 29 Jul 2003 17:05:22 -0700
Justin Hopper <gus () gusalmighty com> wrote:


If a packet is fragmented, will the ip_len variable in the IP header
struct still be accurate?  Will ip_len hold the total size of the
unfragmented packet, or the size of just the packet fragment that came
in?


The length of the fragment.


From rfc791:

    To fragment a long internet datagram, an internet protocol module
    (for example, in a gateway), creates two new internet datagrams and
    copies the contents of the internet header fields from the long
    datagram into both new internet headers.  The data of the long
    datagram is divided into two portions on a 8 octet (64 bit) boundary
    (the second portion might not be an integral multiple of 8 octets,
    but the first must be).  Call the number of 8 octet blocks in the
    first portion NFB (for Number of Fragment Blocks).  The first
    portion of the data is placed in the first new internet datagram,
    and the total length field is set to the length of the first
    datagram.  The more-fragments flag is set to one.  The second
    portion of the data is placed in the second new internet datagram,
    and the total length field is set to the length of the second
    datagram.  The more-fragments flag carries the same value as the
    long datagram.  The fragment offset field of the second new internet
    datagram is set to the value of that field in the long datagram plus
    NFB.



If it holds the total size of the packet, how can one track which
packets fragments belong to a particular packet?



From the previous paragraph in the same rfc:


    The identification field is used to distinguish the fragments of one
    datagram from those of another.  The originating protocol module of
    an internet datagram sets the identification field to a value that
    must be unique for that source-destination pair and protocol for the
    time the datagram will be active in the internet system.

Keep a complete set of RFCs on hand. If you're ever stuck for what to put
in a Valentine's card, pick one. She'll always remember you for it.
http://www.rfc-editor.org

--
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: