[lug] tcpdump question

Chip Atkinson chip at pupman.com
Wed Apr 5 16:22:21 MDT 2006


Argh.  I searched earlier for the wrong thing. Found it on the web:
http://www.tcpdump.org/lists/workers/2001/05/msg00057.html

Chip

On Wed, 5 Apr 2006, Chip Atkinson wrote:

> Has anyone had any experience with tcpdump (or perhaps the linux IP stack)
> adding bytes to the end of some packets?
> 
> I run tcpdump on a file of some extracted network data and then send the
> data via tcpreplay to another machine.  
> 
> The two machines are connected via crossover cable so it's not an issue of
> routers or hubs putting something in.
> 
> I run tcpdump on the reciver and there are differences.  When I look at
> the length of the packet, the differences occur after the length of bytes
> that the packet should be.
> 
> For example:
> 
> IP (tos 0x0, ttl 127, id 57452, offset 0, flags [DF], proto 6, length: 40)
> 172.17.1.58.2932 > 195.149.88.251.6668: . [tcp sum ok]
> 1536731085:1536731085(0) ack 2208927079 win 63699
>   0x0000:  4500 0028 e06c 4000 7f06 5187 ac11 013a  E..(.l at ...Q....:
>   0x0010:  c395 58fb 0b74 1a0c 5b98 a7cd 83a9 8d67  ..X..t..[......g
>   0x0020:  5010 f8d3 b32d 0000 5555 5555 5555       P....-..UUUUUU
>            0 1  2 3  4 5  6 7  8 9
>   0x0020:  5010 f8d3 b32d 0000 2020 2020 2020       P....-........
> 
> The packet should be 40 bytes long or 0x28.  The extra 0x0020 line is from
> the receiver.  I just pasted it in to show the differences.
> If I count, the differences occur after the official end of the packet, on
> byte 0x28. 
> 
> Has anyone seen this before, and is there a way to prevent tcpdump from
> going past the end?
> (I didn't see anything in the man pages)
> Thanks in advance.
> 
> Chip 
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 




More information about the LUG mailing list