views:

49

answers:

1

I am reading "Unix Network Programming" and tcpdump the packet generate by the example. The example is just send out a packet contain string "liha".

I read the TCP/IP RFC and found normal IP header is 20B. and normal TCP header except data is 24B.

So, there are 8B before string "liha" in the captured packet. Are "0121 3d2a 0120 b43e" useless?

11:00:51.690949 IP localhost.40163 > localhost.9877: Flags [P.], seq 94:99, ack 95, win 513, options [nop,nop,TS val 18955562 ecr 18920510], length 5
         0x0000:  4500 0039 ddc6 4000 4006 5ef6 7f00 0001  E..9..@.@.^.....
         0x0010:  7f00 0001 9ce3 2695 8465 e35c 8466 58ca  ......&..e.\.fX.
         0x0020:  8018 0201 fe2d 0000 0101 080a 0121 3d2a  .....-.......!=*
         0x0030:  0120 b43e 6c69 6861 0a                   ...>liha.
+2  A: 

Those are the TCP options. And your analyzer already parsed them for you:

options [nop,nop,TS val 18955562 ecr 18920510],

They are generally important and used by communication sides to negotiate which extra enhancements can be used for the TCP connection.

Dummy00001
Dummy00001, thank you, but in RFC793 http://www.faqs.org/rfcs/rfc793.html, figure 3, options are in 21B~23B, not 25B~28B in this case? Any suggestion?
David
Options have dynamic size (which I do not know how is precisely defined). That's why TCP header has the data offset field: first 20 bytes are fixed, rest up to the data offset are the options.
Dummy00001
Example of options' parsing: http://lxr.linux.no/#linux+v2.6.33/net/ipv4/tcp_input.c#L3729
Dummy00001