Ask Your Question

redapplesonly's profile - activity

overview network karma followed questions activity
2022-02-22 02:50:37 +0000 received badge  Popular Question (source)
2022-02-22 02:50:37 +0000 received badge  Notable Question (source)
2021-06-27 01:00:03 +0000 received badge  Notable Question (source)
2021-06-27 01:00:03 +0000 received badge  Popular Question (source)
2020-07-24 16:45:02 +0000 answered a question Why is my TCP Header Seen as "Data (20 Bytes)"?

Yep, that did it. Great catch! To be honest, the Fragment Offset value of 512 is probably me incorrectly setting the I
2020-07-24 16:45:02 +0000 received badge  Rapid Responder
2020-07-24 16:38:20 +0000 marked best answer Why is my TCP Header Seen as "Data (20 Bytes)"?

Hi Wireshark Gurus,

I am a college student working on a coding assignment. I'm writing a C program which creates a PCAP file, writes one valid network packet into the file, then exits. The point of the exercise is to learn how to format Ethernet, IP, and TCP headers in code. I pass my assignment if Wireshark can successfully open my PCAP and read the packet.

So far, my code writes a valid Ethernet and IP header (although I am skipping some IP fields, like CRC checksum and flags). My code also writes a TCP header... but Wireshark doesn't recognize it! After the IP header, it simply sees "Data, 20 bytes." I followed the RFC for TCP on the TCP header format, plus set IP_Protocol = 6, and I thought that was all that was necessary. But no.

Why might Wireshark look at my TCP header, and see raw data? I'm guessing it might be one of two reasons:

  • The IP header is still malformed, leaving Wireshark to consider the IP payload as "Data"
  • The TCP header format is screwed up

When Wireshark looks at where it should see a TCP header, it reports that it sees this:

Data (20 bytes)  0016 d7a6 7145 c91d 0ca8 87dd 5018 01df 0443 0000

(I added those spaces.) When I hand-check that data against what my code is writing, everything looks okay. (Field values were copied from another packet I captured in Wireshark.)

Field               octets  decimal val binary value                                hex value
=================================================================================================
src_port            2       22          0000 0000 0001 0110                         0016
dst_port            2       55206       1101 0111 1010 0110                         D7A6
tcp_seq_number      4       1900398877  0111 0001 0100 0101 1100 1001 0001 1101     7145 C91D
tcp_ack_number      4       212371421   0000 1100 1010 1000 1000 0111 1101 1101     0CA8 87DD
tcp_OffAndFlags     2       20504       0101 0000 0001 1000                         5018
tcp_window_size     2       479         0000 0001 1101 1111                         01DF
tcp_checksum        2       1091        0000 0100 0100 0011                         0443
tcp_urgent_pointer  2       0           0000 0000 0000 0000                         0000

Everything is exactly as it should be, as far as I can tell. So what is wrong?

What I see in Wireshark is included below. Many thanks in advance!

Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Dec 31, 1969 19:00:00.000000000 Eastern Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 0.000000000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 54 bytes (432 bits)
    Capture Length: 54 bytes (432 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:data]
    [Coloring Rule Name: Broadcast]
    [Coloring Rule String: eth[0] & 1]
Ethernet II, Src: 64:96:c8:fa:fc:ff (64:96:c8:fa:fc:ff), Dst: Woonsang_04:05:06 (01:02:03:04:05:06)
    Destination: Woonsang_04:05:06 (01:02:03:04:05:06)
    Source: 64 ...
(more)
2020-07-24 15:29:41 +0000 asked a question Why is my TCP Header Seen as "Data (20 Bytes)"?

Why is my TCP Header Seen as "Data (20 Bytes)"? Hi Wireshark Gurus, I am a college student working on a coding assignme
2020-02-28 17:58:30 +0000 commented answer Tshark: How to find MIN, MAX, AVG Packet Lengths in PCAP File?

Yes! YES!!! This did it! You are a genius, sir! Thank you... :)

2020-02-28 17:58:01 +0000 marked best answer Tshark: How to find MIN, MAX, AVG Packet Lengths in PCAP File?

Hi everyone,

I have a series of large PCAP files on my Linux machine. I need to use tshark (v 2.2.6) to read the files, then compute the MIN, MAX, and AVG for all packet lengths. In other words, if I somehow had this:

root@linux:~# tshark -r myCap.pcap
    1   0.000000 10.10.10.10 → 10.10.10.20 ICMP 98  Echo (ping) request  id=0x1e44, seq=1/256, ttl=63
    2   0.000688 10.10.10.20 → 10.10.10.10 ICMP 98  Echo (ping) reply    id=0x1e44, seq=1/256, ttl=63 (request in 1)
    3   0.993300 10.10.10.10 → 10.10.10.20 ICMP 100 Echo (ping) request  id=0x1e44, seq=2/512, ttl=63
    4   0.994362 10.10.10.20 → 10.10.10.10 ICMP 100 Echo (ping) reply    id=0x1e44, seq=2/512, ttl=63 (request in 3)
    5   1.994626 10.10.10.10 → 10.10.10.20 ICMP 98  Echo (ping) request  id=0x1e44, seq=3/768, ttl=63
    6   1.995368 10.10.10.20 → 10.10.10.10 ICMP 98  Echo (ping) reply    id=0x1e44, seq=3/768, ttl=63 (request in 5)
    7   2.996105 10.10.10.10 → 10.10.10.20 ICMP 150 Echo (ping) request  id=0x1e44, seq=4/1024, ttl=63
    8   3.003030 10.10.10.20 → 10.10.10.10 ICMP 150 Echo (ping) reply    id=0x1e44, seq=4/1024, ttl=63 (request in 7)
    9   3.997729 10.10.10.10 → 10.10.10.20 ICMP 98  Echo (ping) request  id=0x1e44, seq=5/1280, ttl=63
   10   3.998719 10.10.10.20 → 10.10.10.10 ICMP 98  Echo (ping) reply    id=0x1e44, seq=5/1280, ttl=63 (request in 9)
   11   4.999701 10.10.10.10 → 10.10.10.20 ICMP 98  Echo (ping) request  id=0x1e44, seq=6/1536, ttl=63
   12   5.006203 10.10.10.20 → 10.10.10.10 ICMP 98  Echo (ping) reply    id=0x1e44, seq=6/1536, ttl=63 (request in 11)
root@linux:~#

Then I need some output that looks like this:

root@linux:~# tshark -r myCap.pcap -z io,stat,0,MIN(Length)filter 
MIN: 98
root@linux:~# tshark -r myCap.pcap -z io,stat,0,MAX(Length)filter 
MAX: 150
root@linux:~# tshark -r myCap.pcap -z io,stat,0,AVG(Length)filter 
AVG: 107 
root@linux:~#

Or better yet: 

root@linux:~# tshark -r myCap.pcap -z io,stat,0,MIN,MAX,AVG(Length)filter 
MIN: 98  MAX: 150  AVG: 107 
root@linux:~#

The ‘-z’ option is obviously the way to go here, but the later syntax trips me up. The format for what I think I want is:

-z io,stat,interval,AVG (field)filter

But after that, I’m fairly lost. Here’s what I do know:

  • I want the interval to be “0” because I want the entire PCAP file to be summarized
  • I think I want the field to ...
(more)
2020-02-28 17:58:01 +0000 received badge  Scholar (source)
2020-02-27 18:25:05 +0000 asked a question Tshark: How to find MIN, MAX, AVG Packet Lengths in PCAP File?

Tshark: How to find MIN, MAX, AVG Packet Lengths in PCAP File? Hi everyone, I have a series of large PCAP files on my L
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2