Hi. It's padding: the minimum Ethernet frame size is 60 bytes (including ethernet header), so the last 6 bytes (which in fact are all 0xFF) are used to make the packet 60 bytes long.
Regarding duplicate packets, it depends on a variety of factors: -there can be duplicate packets (even if the server only sent one packet), due to network -you have some sort of network software on your machine that "duplicates" packets; some examples are software firewall (for example the one shipped with XP), of VPN software. GV ----- Original Message ----- From: "Lei Liang" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 23, 2002 12:09 PM Subject: [WinPcap-users] bugs of winpcap?? > HI, falks, > I met a problem when I use winpcap. > I am using winpcap to develop some applications to monitor > > networks. I used void dispatcher_handler as a loopback function. When I > > doing the measurement on FTP traffic, I found there is something strange. > > here it is: > > > 1st packet from ftp server to my pc: > > arrival time:1022072978:658489 > > length reported by pcap_pkthdr *header: 60bytes > > protocol is TCP; > > pkt data given by pkt_data is: > > 0 c0 4f 17 c0 7b 0 1 30 12 34 0 8 0 45 0 0 (28) 99 77 40 0 e8 6 ed 20 80 9 > > b0 14 83 e3 58 36 0 15 12 19 2e 62 d2 80 7 3f 56 ed 50 10 22 38 10 28 0 0 > 55 55 55 55 55 55 > > we can see the pkt length indicated by IP header is 28h (in the > > bracket).that's 40 bytes. if we add the 14 bytes long MAC header, we have > > totally 54 bytes of the pkt length. that's different with what the *header > > gives to us which is 60 bytes. what's the problem? is it the winpcap's > > wrong? > > > moreover, the next pkt received from the same ftp server has the same > > sequence number and Ack number. if the 1st downloaded pkt is not correct > > due to the transmission in the network,at least my pc should send an error > > report to the server and then the server can retransmit. but there is no > > uploaded pkt is sent from my pc between these two downloaded pkts. that > > means my pc receives two downloaded pkts at once without any response. > > it's not right, isn't it? or the ftp login process do it on purpose? I > haven't find any documents to clearify this problem. > so I doublt if the winpcap gets something wrong? > PS: if I am not wrong, the void dispatcher_handler function is triggered > > when new qualified pkt arrives to my network adapter, isn't it? > >
