tcpdump mailing list archives
Re: Data in SYN and SYN acknowledgement packets
From: Justin Robinson <csmjmr () bath ac uk>
Date: Wed, 6 Aug 2003 02:10:02 +0100
Jefferson, Guy, Aaron That's all the info I need Thanks for the help! Justin On Wednesday 06 Aug 2003 00:03, Jefferson Ogata wrote:
Justin Robinson wrote:Hi, I'm writing a piece of code with the libpcap() library that works out the next sequence number expected from the payload length. I'm concerned only with the tcp/ip protocol. I expected that during the three-way handshake of tcp, that the first two packets from the initiating TCP entity will NOT have any data in them. The first two packets are the SYN and the ACK to the other TCP entity's SYN. However, my code suggests that on some http connections, these packets hold data, which breaks my code. I calculate the payload length using pkt_header->caplen - tcp_len - ip_len - linklayer_len where tcp_len and ip_len are taken from the appropriate fields in their respective headers, and linklayer_len is always 14 because it is an ethernet header. Can someone please confirm that these packets are not supposed to have a payload? Thanks in advance, JustinYou shouldn't pay attention to caplen in any of your IP computations. Just because the system captured N octets doesn't mean all of them belong to the IP packet. The IP payload length is ip_total_length (ip[2:2]) - ip_header_length ((ip[0:1] & 0xf) << 2) - tcp_header_length ((tcp[12:1] & 0xf0) >> 2). It is not normal for SYN and SYN/ACK packets to contain a payload. The SYN and FIN flags, however, both consume one unit of sequence space, so the sequence offset in SYN and FIN packets does not match the payload length. There is also TTCP, which, if I recall correctly, combines payload with SYN flags, but this is not used in HTTP transactions, and you could probably go through the rest of your life without needing to know any more about it. I suggest you spend a little time poking around in packet headers with ethereal.
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Data in SYN and SYN acknowledgement packets Justin Robinson (Aug 18)
- Re: Data in SYN and SYN acknowledgement packets Jefferson Ogata (Aug 15)
- Re: Data in SYN and SYN acknowledgement packets Justin Robinson (Aug 18)
- Re: Data in SYN and SYN acknowledgement packets Aaron Turner (Aug 15)
- Re: Data in SYN and SYN acknowledgement packets Guy Harris (Aug 15)
- Re: Data in SYN and SYN acknowledgement packets Jefferson Ogata (Aug 15)