Hi Wireshark Gurus,
I am a college student working on a coding assignment. I'm writing a C program which creates a PCAP file, writes one valid network packet into the file, then exits. The point of the exercise is to learn how to format Ethernet, IP, and TCP headers in code. I pass my assignment if Wireshark can successfully open my PCAP and read the packet.
So far, my code writes a valid Ethernet and IP header (although I am skipping some IP fields, like CRC checksum and flags). My code also writes a TCP header... but Wireshark doesn't recognize it! After the IP header, it simply sees "Data, 20 bytes." I followed the RFC for TCP on the TCP header format, plus set IP_Protocol = 6, and I thought that was all that was necessary. But no.
Why might Wireshark look at my TCP header, and see raw data? I'm guessing it might be one of two reasons:
- The IP header is still malformed, leaving Wireshark to consider the IP payload as "Data"
- The TCP header format is screwed up
When Wireshark looks at where it should see a TCP header, it reports that it sees this:
Data (20 bytes) 0016 d7a6 7145 c91d 0ca8 87dd 5018 01df 0443 0000
(I added those spaces.) When I hand-check that data against what my code is writing, everything looks okay. (Field values were copied from another packet I captured in Wireshark.)
Field octets decimal val binary value hex value
=================================================================================================
src_port 2 22 0000 0000 0001 0110 0016
dst_port 2 55206 1101 0111 1010 0110 D7A6
tcp_seq_number 4 1900398877 0111 0001 0100 0101 1100 1001 0001 1101 7145 C91D
tcp_ack_number 4 212371421 0000 1100 1010 1000 1000 0111 1101 1101 0CA8 87DD
tcp_OffAndFlags 2 20504 0101 0000 0001 1000 5018
tcp_window_size 2 479 0000 0001 1101 1111 01DF
tcp_checksum 2 1091 0000 0100 0100 0011 0443
tcp_urgent_pointer 2 0 0000 0000 0000 0000 0000
Everything is exactly as it should be, as far as I can tell. So what is wrong?
What I see in Wireshark is included below. Many thanks in advance!
Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Dec 31, 1969 19:00:00.000000000 Eastern Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 0.000000000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 54 bytes (432 bits)
Capture Length: 54 bytes (432 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:data]
[Coloring Rule Name: Broadcast]
[Coloring Rule String: eth[0] & 1]
Ethernet II, Src: 64:96:c8:fa:fc:ff (64:96:c8:fa:fc:ff), Dst: Woonsang_04:05:06 (01:02:03:04:05:06)
Destination: Woonsang_04:05:06 (01:02:03:04:05:06)
Source: 64:96:c8:fa:fc:ff (64:96:c8:fa:fc:ff)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 168.161.114.101, Dst: 168.161.114.100
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 40
Identification: 0xd77e (55166)
Flags: 0x0040
Fragment offset: 512
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x2cb5 [validation disabled]
[Header checksum status: Unverified]
Source: 168.161.114.101
Destination: 168.161.114.100
Data (20 bytes)
Data: 0016d7a67145c91d0ca887dd501801df04430000
[Length: 20]