Ask Your Question
0

Bytes accumulation in an ICMP packet

asked 2023-12-18 16:31:21 +0000

mainhatnam2210 gravatar image

updated 2023-12-18 17:05:35 +0000

grahamb gravatar image

Hi everyone, my ICMP packet has a line stating that "Timestamp from icmp data: Apr 1, 2021 10:42:04.634801000 SE Asia Standard Time". I wondered if the bytes from this timestamp would be included in the ICMP data or in the ICMP header. Thanks for replying!

This is my packet:

Frame 4: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface wlp2s0, id 0
Ethernet II, Src: TpLinkTechno_fc:53:7e (18:d6:c7:fc:53:7e), Dst: Intel_3c:ac:58 (a0:d3:7a:3c:ac:58)
Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.0.105
Internet Control Message Protocol
    Type: 0 (Echo (ping) reply)
    Code: 0
    Checksum: 0x14ce [correct]
    [Checksum Status: Good]
    Identifier (BE): 13 (0x000d)
    Identifier (LE): 3328 (0x0d00)
    Sequence Number (BE): 1 (0x0001)
    Sequence Number (LE): 256 (0x0100)
    [Request frame: 3]
    [Response time: 2.935 ms]
    Timestamp from icmp data: Apr  1, 2021 10:42:04.634801000 SE Asia Standard Time
    [Timestamp from icmp data (relative): 0.004796943 seconds]
    Data (40 bytes)
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2023-12-18 20:40:26 +0000

SYN-bit gravatar image

There is no timestamp field in the ICMP header, so the time comes from the ICMP data part. Some ping implementations add the timestamp to the start of the ICMP data. Other implementations do not.

edit flag offensive delete link more

Comments

It says Timestamp from icmp data: so the timestamp is part of the data but then the next line Data does not show all the data since the timestamp is carved from data.

So values for data.data and data.len depend on if a icmp.data_time was cut out of the data.

See discussion on 19283: Timestamp from icmp data is incorrect in Wireshark v4.0.7-0-g0ad1823c for more background info.

Code that makes the SWAG at a timestamp - epan/dissectors/packet-icmp.c:

        /* Interpret the first 8 or 16 bytes of the icmp data as a timestamp
         * But only if it does look like it's a timestamp.
         *
         */
        int len = get_best_guess_timestamp(tvb, 8, &pinfo->abs_ts, &ts);
        if (len) {
            proto_tree_add_time(icmp_tree, hf_icmp_data_time,
                        tvb, 8, len, &ts);
            nstime_delta(&time_relative, &pinfo->abs_ts,
                     &ts);
            ti = proto_tree_add_time(icmp_tree,
                         hf_icmp_data_time_relative,
                         tvb, 8, len,
                         &time_relative);
            proto_item_set_generated(ti);
            call_data_dissector(tvb_new_subset_remaining(tvb,
                                8 + len),
                       pinfo, icmp_tree);
Chuckc gravatar imageChuckc ( 2023-12-19 18:09:00 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-12-18 16:31:21 +0000

Seen: 80 times

Last updated: Dec 18 '23

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2