I received a couple of private messages regarding my diary entry "TShark & Multiple IP Addresses" and video "Video: TShark & Multiple IP Addresses". That the ICMP packets do not actually contain an IP packet, but just a part of it. RFC 792 states that the destination unreachable message only contains the IP header and 8 bytes of the TCP header (that would be the source and destination port, and the sequence number): That is not the case in my example: The full TCP packet is included, 32 bytes long. RFC 792 is more than 40 years old, and has been updated several times since. For example, in RFC 4884, you can find this: In a nutshell: include as many bytes from the original datagram as possible, without risking fragmentation. And for a TCP SYN packet, like in my example, that is no problem at all.
Didier Stevens |
DidierStevens 638 Posts ISC Handler Mar 12th 2022 |
Thread locked Subscribe |
Mar 12th 2022 2 months ago |
Sign Up for Free or Log In to start participating in the conversation!