Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11072
Views
5
Helpful
8
Replies

ICMP Packet size according to wireshark.

Go to solution
from88
Level 4
Level 4

‎03-02-2016 01:18 AM - edited ‎03-08-2019 04:47 AM

Hey all,

Have some misunderstanding how wireshark interpreters the packet size.

I have ICMP packet with 1464 Payload.

So i wanted to know how it makes to 1514 Bytes frame or 1500 IP Packet.

As I Know if ICMP payload is 1464 when we have to add ICMP Header which is 8 + IP Header (20) . So this makes WHOLE IP packet and that leaves just 1492. Where is the Other 8Bytes?

When im marking INTERNET CONTROL MESSAGE PROTOCOL field on wireshark it shoes me that ICMP (as i assume with header and payload) is 1480 but what makes 1480 if payload is 1464 and added ICMP header leaves only 1472, where additional 8 bytes ON ICMP header comes on ?

Thanks, i added a picture!

Labels:
Preview file
81 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
wessm
Cisco Employee
Cisco Employee
In response to from88

‎03-02-2016 05:44 AM

There are two separate uses of the word payload here. The PAYLOAD (DATA) section is the actual content of the IP packet, listed below the ICMP section. The ICMP payload is a variable-length field that is appended to the ICMP header. In this case, it is the 8-byte timestamp value. 

Basically, the ICMP "header" is 8 bytes long, and is used in every ICMP message. The ICMP payload is still basically a part of the ICMP header, but it varies depending on the type of ICMP message and the host implementation. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
from88
Level 4
Level 4

‎03-02-2016 05:11 AM

seems that's because os some strange icmp timestamp options... 

windows ping doesnt have that fields, and its calculations are "as usual":)

0 Helpful

Go to solution
sabkar
Level 1
Level 1
In response to from88

‎03-12-2016 02:28 AM

In order to calculate an ICMP packet in a router using wireshark :- 

ICMP packet :- 8 Bytes total length

IP packets :- 20 Bytes

Frame :- 14 Bytes 

so If you are initiate a ping then total of 1500-20-8 =  1472 Bytes ( Payload)

0 Helpful

Go to solution
from88
Level 4
Level 4
In response to sabkar

‎03-12-2016 06:01 AM

in standard situation - u are right.

But if you take a look at my screenshot (at topic start). In my case ICMP packet was with timestamp options so 8 extra bytes were added to ICMP packet.

0 Helpful

Go to solution
sabkar
Level 1
Level 1
In response to from88

‎03-12-2016 10:30 AM

As per your Wireshark the total payload is 1480, could you please let me know what is the configured MTU in the interface. 

So in general for IO/IOS-XE the interface MTU is by default as 1500 bytes. 

In other devices like Juniper the default MTU is as 1514 bytes. which encounters the Frame as well. 

And the ICMP is always 8 bytes. so in your case if the payload is 1480 than might be it is configured as 1480 + 20 + 8 = 1508 bytes 

Can you please check and let me know. What is the device as well. 

0 Helpful

Go to solution
from88
Level 4
Level 4
In response to sabkar

‎03-12-2016 11:37 AM

as you see -  The ICMP packet size is 1480 and the ICMP payload is not 1472, but -8 (1464) So where the 8 bytes? That 8 extra bytes, as we see is from timestamp options. That ping was issued from Juniper MX device. MTU sizes on interfaces L2 and IP is configured to be 9xxx bytes, but it doesnt mean nothing, because other interfaces algon the path is cofigured to 1500 (Ip mtu).

0 Helpful

Go to solution
wessm
Cisco Employee
Cisco Employee

‎03-02-2016 05:25 AM

The ICMP header is an 8-byte sequence that contains the first 5 fields shown on your Wireshark capture (type, code, checksum, identifier, sequence number). ICMP itself additionally allows for a payload section, which contains variable information relevant to different ICMP functions.

In the case of a ping message (echo request/reply), the ICMP payload section contains an additional 8-byte timestamp value. This value is not a part of the ICMP header; it is used by ping to compute the RTT of the message. If you select the timestamp field in your capture, you will see that it is 8 bytes long.

Wikipedia has a good visualization of the ICMP header and explanation of the ICMP payload section:

https://en.wikipedia.org/wiki/Ping_(networking_utility)

Go to solution
from88
Level 4
Level 4
In response to wessm

‎03-02-2016 05:34 AM

thanks. You say that's not value of the ICMP header. If so, why its shown under the ICMP header, not the PAYLOAD (DATA) row ?

0 Helpful

Go to solution
wessm
Cisco Employee
Cisco Employee
In response to from88

‎03-02-2016 05:44 AM

There are two separate uses of the word payload here. The PAYLOAD (DATA) section is the actual content of the IP packet, listed below the ICMP section. The ICMP payload is a variable-length field that is appended to the ICMP header. In this case, it is the 8-byte timestamp value. 

Basically, the ICMP "header" is 8 bytes long, and is used in every ICMP message. The ICMP payload is still basically a part of the ICMP header, but it varies depending on the type of ICMP message and the host implementation. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card