Ask Your Question
0

Understanding packet length

asked 2020-02-13 23:08:45 +0000

llamafilm gravatar image

updated 2020-02-13 23:54:10 +0000

I'm using Wireshark to learn about my network and better understand MTU and packet sizes, and I'm looking for some clarity on this example. Here I ran ping 192.168.10.53 -s 9000 -M do from a CentOS machine and I am capturing on the receiving machine which is Windows. So I expect the ICMP packet should contain 9000 bytes of data plus 8 byte header.

Wireshark shows the frame is 9042 bytes on wire (14 Ethernet header + 20 IPv4 header + 9008 ICMP)
The ICMP packet shows 8992 bytes of data plus 8 byte header.
What happened to the extra 8 bytes of data?

Here's the pcap: https://mega.nz/#!w0ohBYbA!lXEHtnrGqf...

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-02-14 04:44:05 +0000

bubbasnmp gravatar image

The bellhop took them? (https://en.wikipedia.org/wiki/Missing...)

https://tools.ietf.org/html/rfc792

Echo or Echo Reply Message

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Code      |          Checksum             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Identifier          |        Sequence Number        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Data ...
   +-+-+-+-+-

The ICMP part of the packet is 8 bytes of header plus 9000 bytes of data = 9008 bytes ICMP.
Those 9000 bytes of data are an 8 bytes timestamp plus 8992 bytes of padding.
https://linux.die.net/man/8/ping

ECHO_REQUEST datagrams (''pings'') have an IP and ICMP header, followed by a struct timeval and then an arbitrary number of ''pad'' bytes used to fill out the packet.
edit flag offensive delete link more

Comments

Detailed info of how Wireshark determines if first 8 bytes of data are a timestamp:
https://bugs.wireshark.org/bugzilla/s...

bubbasnmp gravatar imagebubbasnmp ( 2020-02-14 04:53:34 +0000 )edit

You should see an icmp.data_time field of 8 bytes prior to the data of 8992 bytes. That is the extra 8 bytes of data you were looking for.

The typical *nix ping utility will use the first 8 bytes of the ICMP payload to carry a timestamp field that is used by the ping utility for calculating metrics typically seen in the ping summary report as "round-trip min/avg/max/stddev = 2.442/40.075/366.079/108.680 ms". This specific behavior for ICMP echo request/reply is not specified in RFC 792.

If you were to ping with a packetize of less than 16 (e.g. -s 15) you will not see the icmp.data_time field, instead the data field length will be the requested packetsize length. FWIW: The ping utility supplied with Windows does not put a timestamp in the ping requests it generates regardless of ...(more)

Jim Young gravatar imageJim Young ( 2020-02-14 05:52:29 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-02-13 23:08:45 +0000

Seen: 57 times

Last updated: Feb 14