Ethereal-users: [Ethereal-users] Understanding tethereal output
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
I've got some questions about what I see in tethereal which may be because I lack a thorough understanding of all the protocols involved here.
If I use the -V option and capture some packets, I don't understand what the packet length value actually represents because the length of the various encapsulated headers and payload doesn't add up to what the packet length states.
Take the below capture as an example, as it was pulled off of an Ethernet network. The Packet Length says the packet is 114 bytes long. The way I rationalize it now, I can look down through the output and count
all the values of all the encapsulated layers and the value should total 114 bytes. Well, it doesn't so I'm missing something quite obvious, which I chalk up to the fact that I don't completely get it.
The obvious values (as listed below) are:
20 byte IP header
32 byte TCP header
48 byte TCP payload
--
100 bytes. I'm missing 14 bytes somewhere.
Layers 3 and 4 in the below capture all report a header length. The only layer that doesn't report any sort of length is layer 2. Is that where the other 14 bytes comes from? The two MAC addresses are 8 bytes long, and the type is 2 bytes. That equals 14, but is it that simple?
---
Frame 2 (114 bytes on wire, 114 bytes captured)
Arrival Time: Aug 21, 2003 15:40:05.286540000
Time delta from previous packet: 0.035215000 seconds
Time relative to first packet: 0.035215000 seconds
Frame Number: 2
Packet Length: 114 bytes
Capture Length: 114 bytes
Ethernet II, Src: 00:02:4b:b9:03:a2, Dst: 00:03:93:ea:f3:e2
Destination: 00:03:93:ea:f3:e2 (AppleCom_ea:f3:e2)
Source: 00:02:4b:b9:03:a2 (Cisco_b9:03:a2)
Type: IP (0x0800)
Internet Protocol, Src Addr: 208.185.54.31 (208.185.54.31), Dst Addr: 172.17.7.100 (172.17.7.100)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 100
Identification: 0xc82e (51246)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 116
Protocol: TCP (0x06)
Header checksum: 0x8417 (correct)
Source: 208.185.54.31 (208.185.54.31)
Destination: 172.17.7.100 (172.17.7.100)
Transmission Control Protocol, Src Port: ms-streaming (1755), Dst Port: 49244 (49244), Seq: 1491084909, Ack: 2460353131, Len: 48
Source port: ms-streaming (1755)
Destination port: 49244 (49244)
Sequence number: 1491084909
Next sequence number: 1491084957
Acknowledgement number: 2460353131
Header length: 32 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 17216
Checksum: 0x9e8d (correct)
Options: (12 bytes)
NOP
NOP
Time stamp: tsval 8659100, tsecr 2849866957
Data (48 bytes)
0000 01 00 00 09 ce fa 0b b0 20 00 00 00 4d 4d 53 20 ........ ...MMS
0010 04 00 00 00 17 00 00 00 f0 03 00 00 00 00 00 00 ................
0020 02 00 00 00 21 00 04 00 00 00 00 00 ef f0 f0 f0 ....!...........