Ethereal-users: Re: [Ethereal-users] winsock tcp packet format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 14 Jul 2003 16:15:46 -0700

On Monday, July 14, 2003, at 3:48 PM, Giles Scott wrote:


decode as;
0x0e93 - 3731 sport
0xad86 44422 - dport
sequence number 0x8aaec835
ack number 0x68bdde15
header length 0x50 -20 bytes
tcp flags - 0x18 PSH ACK
window 0xfaf0 = 64240 bytes
checksum 0x3c60
data then starts at 00 00


No, it's

	checksum 0x3c60
urgent pointer 0x0000 (space for the urgent pointer is in the header regardless of whether URP is set, but it doesn't update the urgent pointer if URP isn't set) data then starts at 54 68 (i.e., 'T' 'h', as in 'T' 'h' 'i' 's' ' ' 'i' 's' ...)
I suspect his problem is the stuff that comes *after* his message, which is, as noted in my other reply, probably just whatever junk happened to be in his Buffer variable after the 40 bytes of message text - he might have assumed that "send()" somehow knew where his message text ended, but, if so, that assumption is incorrect; it just relies on the length passed in as the third argument).