--- Begin Message ---
This is not a security issue; questions about tcpdump should be sent to
tcpdump-workers@lists.tcpdump.org, which is where I'm sending this question.
On Sep 14, 2020, at 8:22 PM, Accepted <532876...@qq.com> wrote:
> hi, in this picture, I try to use tcpdump to get package when a new
> connection become.
> but in three handshakes,the last ack why added more 6 bytes?
If that's Ethernet traffic, it's Ethernet padding.
An ACK-only TCP-over-IPv4 packet with no IP or TCP options has 20 bytes of IP
header (the "45" at the beginning of the IP header says "IPv4, with a 20-byte
header), 20 bytes of TCP header, and no TCP payload, for a total of 40 bytes.
The Ethernet header is an additional 14 bytes, for a total of 54 bytes.
An Ethernet packet has a minimum size of 64 bytes, including the 4-byte CRC at
the end of the packet; the CRC is normally not captured, so it doesn't show up
in tcpdump. The ACK-only packet must therefore have 6 bytes of padding before
the 4-byte CRC, to be 64 bytes long.
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
