[lug] tcpdump question
Chip Atkinson
chip at pupman.com
Wed Apr 5 16:22:21 MDT 2006
Argh. I searched earlier for the wrong thing. Found it on the web:
http://www.tcpdump.org/lists/workers/2001/05/msg00057.html
Chip
On Wed, 5 Apr 2006, Chip Atkinson wrote:
> Has anyone had any experience with tcpdump (or perhaps the linux IP stack)
> adding bytes to the end of some packets?
>
> I run tcpdump on a file of some extracted network data and then send the
> data via tcpreplay to another machine.
>
> The two machines are connected via crossover cable so it's not an issue of
> routers or hubs putting something in.
>
> I run tcpdump on the reciver and there are differences. When I look at
> the length of the packet, the differences occur after the length of bytes
> that the packet should be.
>
> For example:
>
> IP (tos 0x0, ttl 127, id 57452, offset 0, flags [DF], proto 6, length: 40)
> 172.17.1.58.2932 > 195.149.88.251.6668: . [tcp sum ok]
> 1536731085:1536731085(0) ack 2208927079 win 63699
> 0x0000: 4500 0028 e06c 4000 7f06 5187 ac11 013a E..(.l at ...Q....:
> 0x0010: c395 58fb 0b74 1a0c 5b98 a7cd 83a9 8d67 ..X..t..[......g
> 0x0020: 5010 f8d3 b32d 0000 5555 5555 5555 P....-..UUUUUU
> 0 1 2 3 4 5 6 7 8 9
> 0x0020: 5010 f8d3 b32d 0000 2020 2020 2020 P....-........
>
> The packet should be 40 bytes long or 0x28. The extra 0x0020 line is from
> the receiver. I just pasted it in to show the differences.
> If I count, the differences occur after the official end of the packet, on
> byte 0x28.
>
> Has anyone seen this before, and is there a way to prevent tcpdump from
> going past the end?
> (I didn't see anything in the man pages)
> Thanks in advance.
>
> Chip
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
More information about the LUG
mailing list