Revision history [back]

Below is a data packet and the details from it. This output was generated by WireShark. I would expect to see the IP Header first followed by the TCP header. However, I am thinking WireShark is showing me four bytes before the IP header. The reason I say this is, in part, the first field of the IP header is the verison. This field is 4 bits long. The first byte is 0x02. This would imply that I am using version 2 of IP. I do not think that is right. What do the first four bytes in Wireshark's dump represent?

Note: This packet was generated by two programs running on the same machine using TCP/IP to communicate.

Frame 75: 44 bytes on wire (352 bits), 44 bytes captured (352 bits) on interface \Device\NPF_Loopback, id 0 Null/Loopback
Family: IP (2)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 8080, Dst Port: 56803, Seq: 19, Ack: 19, Len: 0
Source Port: 8080
Destination Port: 56803
[Stream index: 0]
[TCP Segment Len: 0]
Sequence Number: 19 (relative sequence number)
Sequence Number (raw): 3112201488
[Next Sequence Number: 19 (relative sequence number)]
Acknowledgment Number: 19 (relative ack number)
Acknowledgment number (raw): 2603748537
0101 .... = Header Length: 20 bytes (5)
Flags: 0x010 (ACK)
Window: 10233
[Calculated window size: 2619648]
[Window size scaling factor: 256]
Checksum: 0xbde8 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[SEQ/ACK analysis]
[Timestamps]
[Time since first frame in this TCP stream: 0.000581000 seconds]
[Time since previous frame in this TCP stream: 0.000009000 seconds]

0000 02 00 00 00 45 00 00 28 9f 4c 40 00 80 06 00 00 ....E..(.L@.....
0010 7f 00 00 01 7f 00 00 01 1f 90 dd e3 b9 80 6d 10 ..............m.
0020 9b 32 0c b9 50 10 27 f9 bd e8 00 00 .2..P.'.....

Below is a data packet and the details from it. This output was generated by WireShark. I would expect to see the IP Header first followed by the TCP header. However, I am thinking WireShark is showing me four bytes before the IP header. The reason I say this is, in part, the first field of the IP header is the verison. This field is 4 bits long. The first byte is 0x02. This would imply that I am using version 2 of IP. I do not think that is right. What do the first four bytes in Wireshark's dump represent?

Note: This packet was generated by two programs running on the same machine using TCP/IP to communicate.

Frame 75: 44 bytes on wire (352 bits), 44 bytes captured (352 bits) on interface \Device\NPF_Loopback, id 0
Null/Loopback 
 
    Family: IP (2) 
 
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1 
 
Transmission Control Protocol, Src Port: 8080, Dst Port: 56803, Seq: 19, Ack: 19, Len: 0 
 
    Source Port: 8080 
 
    Destination Port: 56803 
 
    [Stream index: 0] 
 
    [TCP Segment Len: 0] 
 
    Sequence Number: 19    (relative sequence number) 
 
    Sequence Number (raw): 3112201488 
 
    [Next Sequence Number: 19    (relative sequence number)] 
 
    Acknowledgment Number: 19    (relative ack number) 
 
    Acknowledgment number (raw): 2603748537 
 
    0101 .... = Header Length: 20 bytes (5) 
 
    Flags: 0x010 (ACK) 
 
    Window: 10233 
 
    [Calculated window size: 2619648] 
 
    [Window size scaling factor: 256] 
 
    Checksum: 0xbde8 [unverified] 
 
    [Checksum Status: Unverified] 
 
    Urgent Pointer: 0 
 
    [SEQ/ACK analysis] 
 
    [Timestamps] 
 
        [Time since first frame in this TCP stream: 0.000581000 seconds] 
 
        [Time since previous frame in this TCP stream: 0.000009000 seconds]  
 
 0000   02 00 00 00 45 00 00 28 9f 4c 40 00 80 06 00 00   ....E..(.L@..... 
 
0010   7f 00 00 01 7f 00 00 01 1f 90 dd e3 b9 80 6d 10   ..............m. 
 
0020   9b 32 0c b9 50 10 27 f9 bd e8 00 00               .2..P.'.....  .2..P.'.....