[Winpcap-users] Where the apdding begins?
Krzysztof Włodarczyk
krwl at wp.pl
Sat Apr 1 20:38:45 GMT 2006
Dnia 1-04-2006 o godz. 22:02 Guy Harris napisał(a):
> Krzysztof Włodarczyk wrote:
>
> > my problem is how to find out where, in a tcp packet, finishes tcp
> data, and begins a padding??
> >
> > for example I have the following packet:
> > 00 50 fc a1 50 cb 00 30 4f 18 3a d8 08 00 45 00
> > 00 2d 47 52 40 00 3a 06 fd 60 d4 4d 65 a6 c0 a8
> > 01 7c 00 6e 08 a9 0c f8 00 cc 62 09 bd db 50 18
> > 16 d0 e5 c2 00 00 2b 4f 4b 0d 0a 62
> >
> > where:
> > 00 50 fc a1 50 cb 00 30 4f 18 3a d8 08 00
> > -is an Ethernet header
>
> ...containing:
>
> Destination: 00:50:fc:a1:50:cb
> Source: 00:30:4f:18:3a:38
> Type: 0x0800 (IPv4)
>
> > 45 00
> > 00 2d 47 52 40 00 3a 06 fd 60 d4 4d 65 a6 c0 a8
> > 01 7c
> > -is an IPv4 header
>
> ...containing:
>
> Version/IHL: 0x45 = version 4, IHL 5 (5*4 = 20 bytes)
> TOS: 0x00
> Total length: 0x002d = 45 bytes
> ID: 0x4752
> Flags/Fragment offset: 0x4000 (DF, fragment offset 0)
> TTL: 0x3a = 58
> Protocol: 0x06 (TCP)
> Header checksum: 0xfd60
> Source address: 0xd4465a6 (212.70.101.166)
> Destination address: 0xc0a8017c (192.168.1.124)
>
> The IHL is the length of the IP header, which is 20 bytes, so there are
> no options.
>
> > 00 6e 08 a9 0c f8 00 cc 62 09 bd db 50 18
> > 16 d0 e5 c2 00 00
> > -is a TCP header
>
> ...containing:
>
> Source port: 0x006e (110)
> Destination port: 0x08a9 (2217)
> Sequence number: 0x0cf800cc (217579724)
> Acknowledgment number: 0x6209bddb (1644805595)
> Data offset/flags: 0x5018 (data offset 5 = 5*4, 20 bytes; ACK+PSH)
> Window: 0x16d0 (5840)
> Checksum: 0xe5c2
> Urgent pointer: 0x0000
>
> The data offset is the length of the TCP header, which is 20 bytes, so
> there are no options.
>
> The total length is 45; the IP header length is 20, and the TCP header
> length is 20, so 40 bytes of those 45 bytes are the IP and TCP headers,
> so there's 5 bytes of TCP data.
>
> > 2b 4f 4b 0d 0a
> > -is TCP data
>
> Those are the 5 bytes of TCP data.
>
> > and finally:
> > 62
> > -is a padding rubbish
>
> ...because it's after the 5 bytes of TCP data.
>
> > And my question: is there any method that can tell me where the
> > padding begins?
>
> Yes. For TCP over IPv4, you get the total length from the IP header,
> and subtract from it the length of the IP and TCP headers; that's the
> number of bytes of data after the TCP header. Everything after that is
> padding.
>
> Doing this for other network layer protocols (IPv6, etc.) or transport
> protocols is left as an exercise for the reader.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
Yeah, now I see it was a dumb question,
thanks for answer
----------------------------------------------------
"Oliver Twist" Romana Polańskiego już na DVD!
http://klik.wp.pl/?adr=http%3A%2F%2Fadv.reklama.wp.pl%2Fas%2Folivertwist.html&sid=715
More information about the Winpcap-users
mailing list