Reputation: 565
why does libpcap/tcpdump add/pad '0x00' bytes at the end of IP/TCP packets?
I use both Tcpdump and libpcap(a program which uses libpcap) to capture TCP packets. And I notice there are some packets which are padded/added with additional 0x00 bytes at the end. For example, while the IP length indicated in the IP header says that the length is 40 bytes, tcpdump captures 46 bytes. and I notice there are 6 0x00 bytes at the end of the TCP packets.
Upvotes: 2
Views: 1429
Answers (1)
Reputation:
They don't add those bytes.
The machine sending the packets does, because that's required on Ethernet.
A 40-byte IP packet, when sent on Ethernet, would be 54 bytes long, because there's a 14-byte Ethernet header before the IP header and payload.
However, the minimum packet length on Ethernet is 60 bytes (not including the 4-byte FCS at the end). That means that the packet has to be padded to 60 bytes, which means adding 6 bytes of padding at the end.
(That's one reason why the IP header has a length field - so that the receiver of the packet knows how much is IP and how much is padding.)
Upvotes: 3
Related Questions
- Why is there a padding in IP packet?
- Why tcpdump -dd accepting packet instruction choosese exactly 0x4000 as size?
- Does TCPdump strip any headers when receiving packets?
- pcap files and endianness
- tcpdump PCAP file format payload bytes
- libpcap - packet ip header length is zero bytes with loopback tcp requests
- how to determine the starting byte of IP Header and TCP header in a raw packet
- why the ethernet and ip header of packets, which are captured by libpcap function, are distorted
- Weird pcap header of byte sequence 0a 0d 0d 0a created on Mac?
- tcpdump -dd output doesn't match pcap_compile_nopcap