[Winpcap-users] Problem with SharpPCap

Guy Harris guy at alum.mit.edu
Sun Mar 1 20:54:11 PST 2009

(If you reply to a digest, it's usually best to have the subject line  
reflect the message to which you're replying, rather than the digest.)

On Mar 1, 2009, at 8:15 PM, Bharath kumar wrote:

>           Thanks for your reply. I am using Ethernet network to  
> capture the
> packets. The UDP Pcakets were sent over IPV4. The  fragement offset  
> value is
> 0, and Fragment flags= 2.

2, as in

   Flags:  3 bits

     Various Control Flags.

       Bit 0: reserved, must be zero
       Bit 1: (DF) 0 = May Fragment,  1 = Don't Fragment.
       Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.

           0   1   2
         |   | D | M |
         | 0 | F | F |

with DF set and MF clear?

If you're running over Ethernet, unless it's gigabit-or-faster  
Ethernet *with* jumbo frames, you will *NOT* get 3236 byte packets -  
the maximum packet size on Ethernet is 1518 bytes, including the 14- 
byte Ethernet header and 4-byte CRC, so the maximum size of the  
payload of an Ethernet packet is 1500 bytes.  If 20 bytes of that 1500  
bytes are an IPv4 header with no options, and 8 bytes are a UDP  
header, that leaves 1472 bytes as the biggest UDP payload that can be  
transmitted over Ethernet without using IP fragmentation.

I.e., a UDP packet with a length of 3244 *WILL* be transmitted as  
multiple fragments over Ethernet unless your adapter is using jumbo  
frames, so the packets *WILL* have either MF set or a non-zero  
fragment offset unless your network adapter or the Windows networking  
stack is mangling the packets before handing them to NDIS recipients  
such as WinPcap.

What's the "total length" field in the IP header?

More information about the Winpcap-users mailing list