Login/Register
Calculating TCP Header Length?
Asked Answered
Solved network-programmingtcpframewiresharknetwork-protocols
V

1

6

Can anyone guide me on the following?

I'm trying to figure out the answer as seen in the first question inside the blog malwarejake[.]blogspot.com/2015/05/packet-analysis-practice-part-3.html .

As per sample packet found

What is the embedded protocol, the destination port, and the amount of data not including protocol headers?

    0x0000:  4500 004c 1986 4000 4006 9cba c0a8 0165
    0x0010:  c0a8 01b6 0015 bf3c dad0 5039 2a8c 25be
    0x0020:  8018 0072 06ec 0000 0101 080a 008a 70ac

The answer for the above question is as above.

    Embedded protocol: TCP
    Total packet length:  76
    IP Header length:  20
    Protocol header length: 32
    Data length: 24
    Dest Port: 0xbf3c (48956)

I managed to get all the other answer with the exception of Protocol Header Length and Data Length.

Isn't TCP Header Length normally 20 bytes with the extension up to 40 bytes? But how is 32 bytes derived from the above packet? I don't understand.

Thanks!

Vaccaro answered 27/11, 2018 at 14:33 Comment(0)
S
10

Here's the TCP Header directly from the RFC:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Source Port          |       Destination Port        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Sequence Number                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Acknowledgment Number                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Checksum            |         Urgent Pointer        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The values 0015 and bf3c are the ports. The values dad0 5039 and 2a8c 25be are the sequence/ack numbers.

Now take a look at the next 4 bits. The ones at offset 0x20. The value of the byte is 0x80, which means that the topmost 4 bits are 1000. They correspond to the "data offset" field:

Data Offset: 4 bits

The number of 32 bit words in the TCP Header. This indicates where the data begins. The TCP header (even one including options) is an integral number of 32 bits long.

So 1000 means that the header consists of 8 x 32-bit words, which means 8 x 4 bytes = 32 bytes.

Stauder answered 27/11, 2018 at 14:59 Comment(1)
Hello Malt, Greatly Appreciate. Totally understood it.Vaccaro

© 2022 - 2024 — McMap. All rights reserved.