This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet Size 40 Bytes - IP 20Bytes and Segment 20 Bytes

0

Jasper,

I have another one - Are all Tflags SYN should have an option enabled? IP header 20 Bytes and Segment "SYN" 20 Bytes - Is it normal to see a packet 40 Size packet ?

alt text

asked 02 Jan '16, 08:59

Dgo%20Vrgs's gravatar image

Dgo Vrgs
1223
accept rate: 0%

converted to question 02 Jan '16, 09:01


One Answer:

0

20 bytes IPv4 is normal, 20 bytes TCP is a very common size, too. But for a TCP packet with the SYN flag set you usually see bigger TCP headers these days. Reason for that is that TCP SYN packets now carry options like MSS, SACK permitted and Window Scaling. Older stacks may omit one or more of those, of course, and they still work, but having them is better.

answered 02 Jan '16, 13:03

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper thanks for the confirmation. One of our customers is getting tons of TCP SYN flood lately each with different variations.

(04 Jan '16, 19:01) Dgo Vrgs