Why do captured icmp packets show less bytes of data than ping sends

I'm trying to ping a site on Linux and by default it sends 56, bytes of data, so 64 including header data, but when I check the data for the captured packets in wireshark, it always shows 8 less, so 48 in this case. When I ping for 32 bytes of data on windows, the captured packets contain 32 bytes of data. Could someone tell me what's going on?

Have a look at RFC 792 page 14 where Echo or Echo Reply Message are defined. As you can see there's an 8 byte header defined and a subsequent data field. The data field is known to optionally start with a timestamp, and if so detected this is shown by Wireshark. Be aware that is says: Timestamp from icmp data: <timestamp>, which shows that the timestamp is actually part of the data field. Adding the 8 bytes of the timestamp to the raw data field gets you the 56 bytes you were looking for.

13.7k

Jaap

answered 2018-10-07 12:58:15 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Why do captured icmp packets show less bytes of data than ping sends edit

Comments

1 Answer

Comments