[lug] tcpdump question
Chip Atkinson
chip at pupman.com
Wed Apr 5 16:08:54 MDT 2006
Has anyone had any experience with tcpdump (or perhaps the linux IP stack)
adding bytes to the end of some packets?
I run tcpdump on a file of some extracted network data and then send the
data via tcpreplay to another machine.
The two machines are connected via crossover cable so it's not an issue of
routers or hubs putting something in.
I run tcpdump on the reciver and there are differences. When I look at
the length of the packet, the differences occur after the length of bytes
that the packet should be.
For example:
IP (tos 0x0, ttl 127, id 57452, offset 0, flags [DF], proto 6, length: 40)
172.17.1.58.2932 > 195.149.88.251.6668: . [tcp sum ok]
1536731085:1536731085(0) ack 2208927079 win 63699
0x0000: 4500 0028 e06c 4000 7f06 5187 ac11 013a E..(.l at ...Q....:
0x0010: c395 58fb 0b74 1a0c 5b98 a7cd 83a9 8d67 ..X..t..[......g
0x0020: 5010 f8d3 b32d 0000 5555 5555 5555 P....-..UUUUUU
0 1 2 3 4 5 6 7 8 9
0x0020: 5010 f8d3 b32d 0000 2020 2020 2020 P....-........
The packet should be 40 bytes long or 0x28. The extra 0x0020 line is from
the receiver. I just pasted it in to show the differences.
If I count, the differences occur after the official end of the packet, on
byte 0x28.
Has anyone seen this before, and is there a way to prevent tcpdump from
going past the end?
(I didn't see anything in the man pages)
Thanks in advance.
Chip
More information about the LUG
mailing list