03-02-2016 01:18 AM - edited 03-08-2019 04:47 AM
Hey all,
Have some misunderstanding how wireshark interpreters the packet size.
I have ICMP packet with 1464 Payload.
So i wanted to know how it makes to 1514 Bytes frame or 1500 IP Packet.
As I Know if ICMP payload is 1464 when we have to add ICMP Header which is 8 + IP Header (20) . So this makes WHOLE IP packet and that leaves just 1492. Where is the Other 8Bytes?
When im marking INTERNET CONTROL MESSAGE PROTOCOL field on wireshark it shoes me that ICMP (as i assume with header and payload) is 1480 but what makes 1480 if payload is 1464 and added ICMP header leaves only 1472, where additional 8 bytes ON ICMP header comes on ?
Thanks, i added a picture!
Solved! Go to Solution.
03-02-2016 05:44 AM
There are two separate uses of the word payload here. The PAYLOAD (DATA) section is the actual content of the IP packet, listed below the ICMP section. The ICMP payload is a variable-length field that is appended to the ICMP header. In this case, it is the 8-byte timestamp value.
Basically, the ICMP "header" is 8 bytes long, and is used in every ICMP message. The ICMP payload is still basically a part of the ICMP header, but it varies depending on the type of ICMP message and the host implementation.
03-02-2016 05:11 AM
seems that's because os some strange icmp timestamp options...
windows ping doesnt have that fields, and its calculations are "as usual":)
03-12-2016 02:28 AM
In order to calculate an ICMP packet in a router using wireshark :-
ICMP packet :- 8 Bytes total length
IP packets :- 20 Bytes
Frame :- 14 Bytes
so If you are initiate a ping then total of 1500-20-8 = 1472 Bytes ( Payload)
03-12-2016 06:01 AM
in standard situation - u are right.
But if you take a look at my screenshot (at topic start). In my case ICMP packet was with timestamp options so 8 extra bytes were added to ICMP packet.
03-12-2016 10:30 AM
As per your Wireshark the total payload is 1480, could you please let me know what is the configured MTU in the interface.
So in general for IO/IOS-XE the interface MTU is by default as 1500 bytes.
In other devices like Juniper the default MTU is as 1514 bytes. which encounters the Frame as well.
And the ICMP is always 8 bytes. so in your case if the payload is 1480 than might be it is configured as 1480 + 20 + 8 = 1508 bytes
Can you please check and let me know. What is the device as well.
03-12-2016 11:37 AM
as you see - The ICMP packet size is 1480 and the ICMP payload is not 1472, but -8 (1464) So where the 8 bytes? That 8 extra bytes, as we see is from timestamp options. That ping was issued from Juniper MX device. MTU sizes on interfaces L2 and IP is configured to be 9xxx bytes, but it doesnt mean nothing, because other interfaces algon the path is cofigured to 1500 (Ip mtu).
03-02-2016 05:25 AM
The ICMP header is an 8-byte sequence that contains the first 5 fields shown on your Wireshark capture (type, code, checksum, identifier, sequence number). ICMP itself additionally allows for a payload section, which contains variable information relevant to different ICMP functions.
In the case of a ping message (echo request/reply), the ICMP payload section contains an additional 8-byte timestamp value. This value is not a part of the ICMP header; it is used by ping to compute the RTT of the message. If you select the timestamp field in your capture, you will see that it is 8 bytes long.
Wikipedia has a good visualization of the ICMP header and explanation of the ICMP payload section:
https://en.wikipedia.org/wiki/Ping_(networking_utility)
03-02-2016 05:34 AM
thanks. You say that's not value of the ICMP header. If so, why its shown under the ICMP header, not the PAYLOAD (DATA) row ?
03-02-2016 05:44 AM
There are two separate uses of the word payload here. The PAYLOAD (DATA) section is the actual content of the IP packet, listed below the ICMP section. The ICMP payload is a variable-length field that is appended to the ICMP header. In this case, it is the 8-byte timestamp value.
Basically, the ICMP "header" is 8 bytes long, and is used in every ICMP message. The ICMP payload is still basically a part of the ICMP header, but it varies depending on the type of ICMP message and the host implementation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide