Why do captured icmp packets show less bytes of data than ping sends

asked 2018-10-07 11:29:08 +0000

I'm trying to ping a site on Linux and by default it sends 56, bytes of data, so 64 including header data, but when I check the data for the captured packets in wireshark, it always shows 8 less, so 48 in this case. When I ping for 32 bytes of data on windows, the captured packets contain 32 bytes of data. Could someone tell me what's going on?

edit retag flag offensive close merge delete

add a comment

1 Answer

Sort by » oldest newest most voted

answered 2018-10-07 12:58:15 +0000

Jaap

13730 ●685 ●115

Have a look at RFC 792 page 14 where Echo or Echo Reply Message are defined. As you can see there's an 8 byte header defined and a subsequent data field. The data field is known to optionally start with a timestamp, and if so detected this is shown by Wireshark. Be aware that is says: Timestamp from icmp data: <timestamp>, which shows that the timestamp is actually part of the data field. Adding the 8 bytes of the timestamp to the raw data field gets you the 56 bytes you were looking for.

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-10-07 11:29:08 +0000

Seen: 1,638 times

Last updated: Oct 07 '18

Why do captured icmp packets show less bytes of data than ping sends edit

1 Answer