Ask Your Question
0

What does exactly mean 'Length' in AH Header (wireshark)?

asked 2021-08-12 10:37:29 +0000

denebe gravatar image

Hello,

in the header AH in wireshark, I see this fields:

Next Header

Length <- what does the field 'Length' mean exactly ? (what ? in words ? in bytes ? in bits ? )

AH SPI

AH Sequence

AH ICV

Thank you.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2021-08-12 10:58:42 +0000

grahamb gravatar image

It's the value read from the AH, so the length in 4 octet units.

edit flag offensive delete link more

Comments

No, sorry, I don't think so.

I think this is the length of the Header in bytes.

Here is an example to see: https://networklessons.com/cisco/ccie...

The AH Headere: https://datatracker.ietf.org/doc/html...

In my example, we can see: Next header + Payload length (24) + reserved -> 32 bits SPI -> 32 bits Sequence -> 32 bits ICV (aa 9c af e5 ed 06 d6 c7 4c b3 c6 71) -> 12*8=96 bits

Then 24*8** = 32+32+32+96 =192.

I think then that this field in wireshark is the length of the AH header in byte.

Did I make something wrong ?

PS: the name of the field "payload length" corresponds to the length of the AH header. (althoug it is not obviously with this name…)

denebe gravatar imagedenebe ( 2021-08-12 12:37:20 +0000 )edit

Wireshark displays the value (in 4 octet units) which is the value read from the packet and then converts the value to bytes by adding 2 and multiplying by 4 and appending that as a text string in parentheses. So if the field value is 4, the display is:

Length: 4 (24 bytes)

This is because, as per the RFC, Sect 2.2, Payload Length, the field contains the header length in 4 octet units - 2.

grahamb gravatar imagegrahamb ( 2021-08-12 14:52:10 +0000 )edit

An example capture can be found here.

grahamb gravatar imagegrahamb ( 2021-08-12 14:59:55 +0000 )edit

Note the above means that if using the ah.length field in a display filter, or viewing tshark output, you will be using the "raw" field value, but not the value converted to bytes.

grahamb gravatar imagegrahamb ( 2021-08-12 15:10:06 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-08-12 10:36:32 +0000

Seen: 66 times

Last updated: Aug 12