Description
Converted from SourceForge issue 559168, submitted by nobody
While playing around with both tcpdump 3.7.1 and tcpdump 3.6
I belive I have found a bug with the representation of Ethernet
trailer information within an IP packet information.
I have sent an ICMP Timestamp request to a destination host
and with the reply I saw wierd padding at the end of the packet:
13:16:23.010811 10.50.1.63 > 10.50.1.211: icmp: time stamp
query id 40973 seq 0 (ttl 255, id 13170, len 40)
4500 0028 3372 0000 ff01 70ed 0a32 013f
0a32 01d3 0d00 226f a00d 0000 02a2 2de1
0000 0000 0000 0000 0000 0000 0000
13:16:23.011395 10.50.1.211 > 10.50.1.63: icmp: time stamp
reply id 40973 seq 0 : org 0x2a22de1 recv 0x2a6c8c9 xmit
0x2a6c8c9 (DF) (ttl 255, id 42448, len 40)
4500 0028 a5d0 4000 ff01 be8e 0a32 01d3
0a32 013f 0e00 8a8f a00d 0000 02a2 2de1
02a6 c8c9 02a6 c8c9 5555 5555 5555
As you can see there are 6 bytes added at the end of the ICMP
Timestamp reply, just after the transmit timestamp information
(5555 5555 5555).
You can also see the same thing with the ICMP Timestamp
request I have sent. In this case the padded trailer was 0000
0000 0000.
Using ethereal (which also display this at the end of the IP
packet...) I was able to track the padded information to be the
Ethernet Trailer.
Thank you
Ofir Arkin
ofir@sys-security.com