Thanks very much for the info. Wondering if tcpdump can be modified
to drop this extra garbage?
Again,
Tks
C.J. French
Leading Seaman
DND CIRT Analyst - Intrusion Detection Systems
Canadian Dept. National Defence Computer Incident Response Team
Tel: (613) 945-0142 Fax: (613) 945-6407
North American toll free: 1-877-DND-CIRT
DND CIRT PGP Key Fingerprint: 30F6 2333 F9FA C64F E7ED DB27 495E D4E1
F56C B67C
Personal PGP Key Fingerprint: D249 B844 A0AB 8BFA FA4B 4B65 4AF7 0ABA
DC43 A0C1
-----Original Message-----
From: Guy Harris [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 14, 2001 10:58 PM
To: Rick Jones
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [tcpdump-workers] Extra bytes appended to datagrams -
request for help???
> my _guess_ is that these messages you are looking at are normally
> smaller than the networks minimum message size, and instead of doing
> somethng "secure" to pad them out to the "right" minimum length, the
> NIC's involved are just using random data from a prior packet.
>
> you will notice that your IP len's are 40 wherease the ethernet
packet
> length is 60 - 60 is the minimum ethernet macket size (irrc).
Yup (60 bytes of payload plus 4 bytes of CRC, as I remember).
40 bytes of IP plus 14 bytes of Ethernet header gives 54 bytes, which
requires 6 bytes to pad it out to 60 bytes of Ethernet payload - and a
lot of the packets appear to have about 6 bytes (e.g., "RCPT TO",
presumably left over from some SMTP transaction, in an HTTP packet).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
