RE: libpcap and ip_len

["Allison, Jason (JALLISON)" <JALLISON () arinc com>]

heh

Thanks for the reply that sent me back looking at my filter.  You can guess
the mistake.

Thanks again,

Jason Allison

-----Original Message-----
From: Andrew Brown [mailto:atatat () atatdot net]
Sent: Wednesday, May 21, 2003 11:50 PM
To: Allison, Jason (JALLISON)
Cc: tcpdump-workers () tcpdump org
Subject: Re: [tcpdump-workers] libpcap and ip_len


> Sorry for the simple question.
>
> I am having some trouble (I think) accessing the ip_len value in the ip
> header.
>
> I am monitoring ftp transfers on 10 Ethernet and these are my results (x86
> RH8):
>
> printf("%d %d\n", iphdr->ip_len, (int)ntohs(iphdr->ip_len));
>
> Output:
> 10240 40
>
> Is fragmentation skewing the length in bytes?  I know the max size of an IP
> datagram is 65535, but Ethernet is 1500.  Is it that the packet is already
> pieced back together by the time my app gets to it?  Or are each of these
> ftp packets 40 bytes?
>
> When I tally the transfer 10240 is the only 'possibility' but my numbers
> dont correspond to the values shown from the FTP output.

40 bytes is a perfectly good ip_len for a pure ack, with no tcp
options.  what does the payload in the ip packet look like?

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
werdna () squooshy com       * "information is power -- share the wealth."
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe