Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Calculate size and start of TCP packet data (excluding header)

Tags:

How would I go about calculating the size and starting byte of the data in a TCP packet (excluding the header information)?

like image 610
paradox Avatar asked Jul 10 '11 07:07

paradox


People also ask

How do you determine the size of a TCP packet?

If you subtract the number of 32-bit words that make up the header (given by the Header Length field in the IP header) you will know the size of the TCP packet. Usually, the header is 20 bytes for the IP packet, unless Options are present.

How is TCP header size calculated?

The TCP header (even one including options) is an integral number of 32 bits long. So 1000 means that the header consists of 8 x 32-bit words, which means 8 x 4 bytes = 32 bytes.

Does packet size include header?

The MTU of an IP packet is the entire packet, including all IP and higher level headers (such as TCP headers) and payload. Lower level headers (such as Ethernet frames) are not included since they're not IP's concern.

Does TCP length include header?

Thus, a TCP header can be no larger than 60 bytes (15 × 32 bits = 480 bits = 60 bytes). Note that TCP does not define “total length” like UDP does, but rather only defines “header length,” like IP.


2 Answers

I am going to assume that you are dealing with a TCP/IP packet. You will need to calculate this size yourself.

The IP header has a 'Total Length' field that gives you the length of the entire IP packet in bytes. If you subtract the number of 32-bit words that make up the header (given by the Header Length field in the IP header) you will know the size of the TCP packet. Usually, the header is 20 bytes for the IP packet, unless Options are present.

In the TCP header, the Data Offset field specifies the size of the TCP header in 32-bit words. Again, you can subtract the number (multiplied with 4 to give you the number of bytes in the header) from the size of the TCP packet you calculated earlier to get you the size of the data in the TCP packet.

Given the Header Length in the IP header and the Data Offset in the TCP header, you can add those two and multiply by 4 to give you the byte offset till the data in the TCP packet starts.

like image 101
vinod Avatar answered Sep 22 '22 17:09

vinod


I just captured a TCP packet on my router, then I calculated the TCP data length.

IHL = 5 Total Length = 0x00a8 Data Offset = 8 --------------------- 0x00a8 - (5 + 8) * 4 = 116 bytes 

# tcpdump -n -i br-lan -c 1 -e -XX tcp port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br-lan, link-type EN10MB (Ethernet), capture size 65535 bytes 15:33:53.917593 ae:ca:87:aa:aa:aa > b8:e8:56:bb:bb:bb, ethertype IPv4 (0x0800), length 182: 192.168.31.1.22 > 192.168.31.102.54076: Flags [P.], seq 582717816:582717932, ack 442380252, win 4706, options [nop,nop,TS val 100656432 ecr 1139948861], length 116     0x0000:  b8e8 56bb bbbb aeca 87aa aaaa 0800 4510  ..V........x..E.                                                  ^     0x0010:  00a8 8d0c 4000 4006 ed7b c0a8 1f01 c0a8  ....@.@..{......              ^^^^     0x0020:  1f66 0016 d33c 22bb 9178 1a5e 2fdc 8018  .f...<"..x.^/...                                                 ^     0x0030:  1262 c052 0000 0101 080a 05ff e530 43f2  .b.R.........0C.     0x0040:  3d3d f6e4 f672 736f 6c6c 191f 64ec 80a6  ==...rsoll..d...     0x0050:  ba74 e8f7 b2ce 99ec 2725 2d49 f4f6 7760  .t......'%-I..w`     0x0060:  c83f 5130 83bb ca22 c32c 6251 7381 08e2  .?Q0...".,bQs...     0x0070:  c036 1c12 f22f fe8b c36a eeff c95c 36fa  .6.../...j...\6.     0x0080:  7baa 810b 4c75 8ccf 19e4 62df 2c2c c5fd  {...Lu....b.,,..     0x0090:  a0c8 aa53 1130 d413 7097 f1cd 34dc 92b7  ...S.0..p...4...     0x00a0:  ea9b 3bd6 02f8 ea93 c8f3 7d32 4a58 39aa  ..;.......}2JX9.     0x00b0:  12d3 e2bd 18d4                           ...... 

Entire ethernet frame

IP header (IHL / Total Length)

0                   1                   2                   3    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version|**IHL**|Type of Service|**********Total Length*********| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |         Identification        |Flags|      Fragment Offset    | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |  Time to Live |    Protocol   |         Header Checksum       | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |                       Source Address                          | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |                    Destination Address                        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |                    Options                    |    Padding    | <-- optional +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |                            DATA ...                           | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

TCP header (Data Offset)

0                   1                   2                   3    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |          Source Port          |       Destination Port        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |                        Sequence Number                        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |                    Acknowledgment Number                      | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |  Data |       |C|E|U|A|P|R|S|F|                               | | Offset|  Res. |W|C|R|C|S|S|Y|I|            Window             |  | ******|       |R|E|G|K|H|T|N|N|                               | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |           Checksum            |         Urgent Pointer        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |                    Options                    |    Padding    | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |                             data                              | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
like image 26
kev Avatar answered Sep 23 '22 17:09

kev