pratikpncl
Reputation: 528
understanding tcpdump udp output
I'm getting the following output when I do a tcpdump
2017-07-26 00:00:00.062388 IP (tos 0x0, ttl 64, id 55135, offset 0, flags [none], proto UDP (17), length 78)
192.168.1.69.26818 > 192.168.1.5.53: 8603+ AAAA? pkcba.ad.roy.com. (50)
2017-07-26 00:00:00.062859 IP (tos 0x0, ttl 128, id 7617, offset 0, flags [none], proto UDP (17), length 128)
192.168.1.5.53 > 192.168.1.69.26818: 8603* 0/1/0 (100)
What do the numbers in the brackets (50) & (100) mean?
Upvotes: 0
Views: 994
Answers (1)
Alnitak
Reputation: 339985
In this particular case they're the length of the DNS payload within the UDP packet (note that they're 28 bytes less than the total packet length reported in the lines above - 20 bytes for a standard IP header without options and 8 bytes for UDP)
Upvotes: 2
Related Questions
- inspect inner geneve packet using tcpdump
- tcpdump / wireshark capturing problems
- Trying to understand packets captured with tcpdump
- tcpdump of udp packets containing data
- tcpdump slowed down by... its own filter?
- Difference between two similar tcpdump filters
- understanding tcpdump trace with ethernet headers
- Using tcpdump to capture a specific port when UDP message can be fragmented
- Need some help interpreting tcpdump output
- Missing UDP fragments when monitoring traffic with tcpdump