Jefferson, Guy, Aaron That's all the info I need Thanks for the help!
Justin On Wednesday 06 Aug 2003 00:03, Jefferson Ogata wrote: > Justin Robinson wrote: > > Hi, > > > > I'm writing a piece of code with the libpcap() library that works out the > > next sequence number expected from the payload length. I'm concerned only > > with the tcp/ip protocol. I expected that during the three-way handshake > > of tcp, that the first two packets from the initiating TCP entity will > > NOT have any data in them. The first two packets are the SYN and the ACK > > to the other TCP entity's SYN. > > > > However, my code suggests that on some http connections, these packets > > hold data, which breaks my code. > > > > I calculate the payload length using > > > > pkt_header->caplen - tcp_len - ip_len - linklayer_len > > > > where tcp_len and ip_len are taken from the appropriate fields in their > > respective headers, and linklayer_len is always 14 because it is an > > ethernet header. > > > > Can someone please confirm that these packets are not supposed to have a > > payload? > > > > Thanks in advance, Justin > > You shouldn't pay attention to caplen in any of your IP computations. Just > because the system captured N octets doesn't mean all of them belong to the > IP packet. The IP payload length is ip_total_length (ip[2:2]) - > ip_header_length ((ip[0:1] & 0xf) << 2) - tcp_header_length ((tcp[12:1] & > 0xf0) >> 2). > > It is not normal for SYN and SYN/ACK packets to contain a payload. The SYN > and FIN flags, however, both consume one unit of sequence space, so the > sequence offset in SYN and FIN packets does not match the payload length. > > There is also TTCP, which, if I recall correctly, combines payload with SYN > flags, but this is not used in HTTP transactions, and you could probably go > through the rest of your life without needing to know any more about it. > > I suggest you spend a little time poking around in packet headers with > ethereal. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
