First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Understanding packet length

  • retag add tags

I'm using Wireshark to learn about my network and better understand MTU and packet sizes, and I'm looking for some clarity on this example. Here I ran ping 192.168.10.53 -s 9000 -M do from a CentOS machine and I am capturing on the receiving machine which is Windows. So I expect the ICMP packet should contain 9000 bytes of data plus 8 byte header.

Wireshark shows the frame is 9042 bytes on wire (14 Ethernet header + 20 IPv4 header + 9008 ICMP)
The ICMP packet shows 8992 bytes of data plus 8 byte header.
What happened to the extra 8 bytes of data?

Here's the pcap: https://mega.nz/#!w0ohBYbA!lXEHtnrGqf...

llamafilm's avatar
1
llamafilm
asked 2020-02-13 23:08:45 +0000, updated 2020-02-13 23:54:10 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The bellhop took them? (https://en.wikipedia.org/wiki/Missing...)

https://tools.ietf.org/html/rfc792

Echo or Echo Reply Message

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Code      |          Checksum             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Identifier          |        Sequence Number        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Data ...
   +-+-+-+-+-

The ICMP part of the packet is 8 bytes of header plus 9000 bytes of data = 9008 bytes ICMP.
Those 9000 bytes of data are an 8 bytes timestamp plus 8992 bytes of padding.
https://linux.die.net/man/8/ping

ECHO_REQUEST datagrams (''pings'') have an IP and ICMP header, followed by a struct timeval and then an arbitrary number of ''pad'' bytes used to fill out the packet.
Chuckc's avatar
3k
Chuckc
answered 2020-02-14 04:44:05 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Detailed info of how Wireshark determines if first 8 bytes of data are a timestamp:
https://bugs.wireshark.org/bugzilla/s...

Chuckc's avatar Chuckc (2020-02-14 04:53:34 +0000) edit
more
  • delete

You should see an icmp.data_time field of 8 bytes prior to the data of 8992 bytes. That is the extra 8 bytes of data you were looking for.

The typical *nix ping utility will use the first 8 bytes of the ICMP payload to carry a timestamp field that is used by the ping utility for calculating metrics typically seen in the ping summary report as "round-trip min/avg/max/stddev = 2.442/40.075/366.079/108.680 ms". This specific behavior for ICMP echo request/reply is not specified in RFC 792.

If you were to ping with a packetize of less than 16 (e.g. -s 15) you will not see the icmp.data_time field, instead the data field length will be the requested packetsize length. FWIW: The ping utility supplied with Windows does not put a timestamp in the ping requests it generates regardless of ... (more)

Jim Young's avatar Jim Young (2020-02-14 05:52:29 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer