Hello,
in the header AH in wireshark, I see this fields:
Next Header
Length <- what does the field 'Length' mean exactly ? (what ? in words ? in bytes ? in bits ? )
AH SPI
AH Sequence
AH ICV
Thank you.
It's the value read from the AH, so the length in 4 octet units.
No, sorry, I don't think so.
I think this is the length of the Header in bytes.
Here is an example to see: https://networklessons.com/cisco/ccie...
The AH Headere: https://datatracker.ietf.org/doc/html...
In my example, we can see: Next header + Payload length (24) + reserved -> 32 bits SPI -> 32 bits Sequence -> 32 bits ICV (aa 9c af e5 ed 06 d6 c7 4c b3 c6 71) -> 12*8=96 bits
Then 24*8** = 32+32+32+96 =192.
I think then that this field in wireshark is the length of the AH header in byte.
Did I make something wrong ?
PS: the name of the field "payload length" corresponds to the length of the AH header. (althoug it is not obviously with this nameā¦)
Wireshark displays the value (in 4 octet units) which is the value read from the packet and then converts the value to bytes by adding 2 and multiplying by 4 and appending that as a text string in parentheses. So if the field value is 4, the display is:
Length: 4 (24 bytes)
This is because, as per the RFC, Sect 2.2, Payload Length, the field contains the header length in 4 octet units - 2.
Note the above means that if using the ah.length field in a display filter, or viewing tshark output, you will be using the "raw" field value, but not the value converted to bytes.
Comments