On Sat, Oct 06, 2001 at 07:23:34PM -0500, Michael P. Rogers wrote:
> Can you tell me, if the TCP length is advertised as 73 characters,
> will tcpdump -X just print out 73 characters, or it will it pad to a
> 74th?
If the IP length is advertised as 73 bytes, "tcpdump -X" - at least in
the from tcpdump.org, as well as, I think, the earlier LBL
versions - will print out as many characters as libpcap told it captured
in the link-layer frame, minus the link-layer header, regardless of
whether that's greater than, equal to, or less than the value specified
as the total length in the IP header.
I.e., the value of the length in the IP header has no effect whatsoever
on the number of bytes printed by "tcpdump -X".
> This is with tcpdump for Mac OS X 10.1.
I can't speak for whatever version of tcpdump comes with MacOS X;
perhaps the folks at Apple "improved" it so that, instead of dividing
the length by "sizeof(u_short)", printing that many pairs of 8-bit
bytes, and if the length is odd printing the one remaining byte, they
round the length up to a multiple of 2.
However, the 0.4 version of tcpdump doesn't even *have* a "-X" flag, and
the 3.5.2 and 3.6.2 versions of tcpdump from tcpdump.org divide the
length by "sizeof(u_short)" (i.e., by 2), print that many pairs of 8-bit
bytes, and then if the length is odd print only the remaining byte.
You might want to try running tcpdump with the "-e" flag; it should
cause tcpdump to print the length of the packet, as reported to it by
libpcap. If that's 74 plus the link-layer header size, then either
1) libpcap is padding the length out (tcpdump.org's libpcap
doesn't, but if you're using Apple's tcpdump, it's probably
using Apple's libpcap, and perhaps they "improved" it to do
so);
2) the packet really truly had 74 plus the link-layer header
size worth of bytes in it, i.e. tcpdump didn't pad it, either
the machine sending the frame did, or the network card or
driver on your Mac did.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
