[Winpcap-users] Where the apdding begins?

Guy Harris guy at alum.mit.edu
Sat Apr 1 20:02:53 GMT 2006 

Krzysztof Włodarczyk wrote:

> my problem is how to find out where, in a tcp packet, finishes tcp data, and begins a padding??
> 
> for example I have the following packet:
> 00 50 fc a1 50 cb 00 30  4f 18 3a d8 08 00 45 00  
> 00 2d 47 52 40 00 3a 06  fd 60 d4 4d 65 a6 c0 a8  
> 01 7c 00 6e 08 a9 0c f8  00 cc 62 09 bd db 50 18  
> 16 d0 e5 c2 00 00 2b 4f  4b 0d 0a 62 
> 
> where:
> 00 50 fc a1 50 cb 00 30  4f 18 3a d8 08 00
> -is an Ethernet header

...containing:

	Destination: 00:50:fc:a1:50:cb
	Source: 00:30:4f:18:3a:38
	Type: 0x0800 (IPv4)

>                                            45 00  
> 00 2d 47 52 40 00 3a 06  fd 60 d4 4d 65 a6 c0 a8  
> 01 7c 
> -is an IPv4 header

...containing:

	Version/IHL: 0x45 = version 4, IHL 5 (5*4 = 20 bytes)
	TOS: 0x00
	Total length: 0x002d = 45 bytes
	ID: 0x4752
	Flags/Fragment offset: 0x4000 (DF, fragment offset 0)
	TTL: 0x3a = 58
	Protocol: 0x06 (TCP)
	Header checksum: 0xfd60
	Source address: 0xd4465a6 (212.70.101.166)
	Destination address: 0xc0a8017c (192.168.1.124)

The IHL is the length of the IP header, which is 20 bytes, so there are 
no options.

>       00 6e 08 a9 0c f8  00 cc 62 09 bd db 50 18  
> 16 d0 e5 c2 00 00 
> -is a TCP header

...containing:

	Source port: 0x006e (110)
	Destination port: 0x08a9 (2217)
	Sequence number: 0x0cf800cc (217579724)
	Acknowledgment number: 0x6209bddb (1644805595)
	Data offset/flags: 0x5018 (data offset 5 = 5*4, 20 bytes; ACK+PSH)
	Window: 0x16d0 (5840)
	Checksum: 0xe5c2
	Urgent pointer: 0x0000

The data offset is the length of the TCP header, which is 20 bytes, so 
there are no options.

The total length is 45; the IP header length is 20, and the TCP header 
length is 20, so 40 bytes of those 45 bytes are the IP and TCP headers, 
so there's 5 bytes of TCP data.

>  2b 4f  4b 0d 0a 
> -is TCP data

Those are the 5 bytes of TCP data.

> and finally:
>  62
> -is a padding rubbish

...because it's after the 5 bytes of TCP data.

> And my question: is there any method that can tell me where the
> padding begins?

Yes.  For TCP over IPv4, you get the total length from the IP header, 
and subtract from it the length of the IP and TCP headers; that's the 
number of bytes of data after the TCP header.  Everything after that is 
padding.

Doing this for other network layer protocols (IPv6, etc.) or transport 
protocols is left as an exercise for the reader.

More information about the Winpcap-users mailing list