Some of the extra information is undoubtedly put there by tcpdump to
describe the frame, e.g., timestamp of receipt being an obvious one. You'd
probably need to look at the source code for tcpdump to get more specific.
I can tell you that a 1500-byte IP frame on ethernet is going to be 1518
bytes long:
6 byte destination MAC address
6 byte source MAC address
2 byte ethertype field (IP=0800 hex)
1500 byte IP packet
4 byte CRC-32 (this may not be visible to tcpdump, but trust me,
it's there on the wire)
There are other formats for encapsulating IP datagrams into ethernet
frames, but the one I described above is by far the most common.
HTH,
Jim Cunning
On Fri, 3 Dec 1999, Pieckiel, Kevin A wrote:
> I used tcpdump to capture a single IP packet:
>
> tcpdump -c 1 -w data ip
>
> or something like that (don't remember the exact syntax right now). I got a
> file called data that was 1554 bytes long. Using od -x, I found the IP
> frame and am able to successfully decode it. This accounts for exact 1500
> bytes of the captured data.
>
> There is an additional 54 bytes of data that is prepended to the IP packet.
> What is this data? What protocol(s) encapsulate an IP packet? How do I
> interpret this data? I've been searching on www.protocols.com for relevant
> datalink layer protocols, TCP/IP protocols, and a few others, but I can't
> find anything that matches up. I have been able to identify the MAC
> addresses of the Ethernet cards in this 54 bytes of data, but that only
> accounts for 12 bytes.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
