tcpdump mailing list archives
Re: again: real packet size
From: George Bakos <gbakos () ists dartmouth edu>
Date: Wed, 30 Jul 2003 00:06:32 -0400
Nope. Not the right list. This is for techincal discussions of tcpdump and libpcap code. You probably would have gotten quicker results by googleing for tcp/ip mailing lists. On 29 Jul 2003 17:05:22 -0700 Justin Hopper <gus () gusalmighty com> wrote:
If a packet is fragmented, will the ip_len variable in the IP header struct still be accurate? Will ip_len hold the total size of the unfragmented packet, or the size of just the packet fragment that came in?
The length of the fragment.
From rfc791:
To fragment a long internet datagram, an internet protocol module (for example, in a gateway), creates two new internet datagrams and copies the contents of the internet header fields from the long datagram into both new internet headers. The data of the long datagram is divided into two portions on a 8 octet (64 bit) boundary (the second portion might not be an integral multiple of 8 octets, but the first must be). Call the number of 8 octet blocks in the first portion NFB (for Number of Fragment Blocks). The first portion of the data is placed in the first new internet datagram, and the total length field is set to the length of the first datagram. The more-fragments flag is set to one. The second portion of the data is placed in the second new internet datagram, and the total length field is set to the length of the second datagram. The more-fragments flag carries the same value as the long datagram. The fragment offset field of the second new internet datagram is set to the value of that field in the long datagram plus NFB.
If it holds the total size of the packet, how can one track which packets fragments belong to a particular packet?
From the previous paragraph in the same rfc:
The identification field is used to distinguish the fragments of one datagram from those of another. The originating protocol module of an internet datagram sets the identification field to a value that must be unique for that source-destination pair and protocol for the time the datagram will be active in the internet system. Keep a complete set of RFCs on hand. If you're ever stuck for what to put in a Valentine's card, pick one. She'll always remember you for it. http://www.rfc-editor.org -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- again: real packet size Justin Hopper (Jul 29)
- Re: again: real packet size George Bakos (Jul 29)