[Winpcap-users] Problem with SharpPCap
Guy Harris
guy at alum.mit.edu
Sun Mar 1 20:54:11 PST 2009
(If you reply to a digest, it's usually best to have the subject line
reflect the message to which you're replying, rather than the digest.)
On Mar 1, 2009, at 8:15 PM, Bharath kumar wrote:
> Thanks for your reply. I am using Ethernet network to
> capture the
> packets. The UDP Pcakets were sent over IPV4. The fragement offset
> value is
> 0, and Fragment flags= 2.
2, as in
Flags: 3 bits
Various Control Flags.
Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.
0 1 2
+---+---+---+
| | D | M |
| 0 | F | F |
+---+---+---+
with DF set and MF clear?
If you're running over Ethernet, unless it's gigabit-or-faster
Ethernet *with* jumbo frames, you will *NOT* get 3236 byte packets -
the maximum packet size on Ethernet is 1518 bytes, including the 14-
byte Ethernet header and 4-byte CRC, so the maximum size of the
payload of an Ethernet packet is 1500 bytes. If 20 bytes of that 1500
bytes are an IPv4 header with no options, and 8 bytes are a UDP
header, that leaves 1472 bytes as the biggest UDP payload that can be
transmitted over Ethernet without using IP fragmentation.
I.e., a UDP packet with a length of 3244 *WILL* be transmitted as
multiple fragments over Ethernet unless your adapter is using jumbo
frames, so the packets *WILL* have either MF set or a non-zero
fragment offset unless your network adapter or the Windows networking
stack is mangling the packets before handing them to NDIS recipients
such as WinPcap.
What's the "total length" field in the IP header?
More information about the Winpcap-users
mailing list