0

I have a capture that I'm parsing using libtins and I'm trying to get the total frame size, I'm missing 1 byte. On Wireshark, the frame is parsed as S-Bus response packet and it's length is 94 bytes. At the end of the packet there's a part called "VSS Monitoring Ethernet trailer" I think this is the missing byte. I tried printing various portions of the packet, but still can't get it right. Here are a few attempts and their respective printouts:

//packet is: const Tins::Packet* packet 
ethernetII = packet->pdu()->find_pdu<Tins::EthernetII>();
const Tins::RawPDU *raw = packet->pdu()->find_pdu<Tins::RawPDU>();
const Tins::RawPDU *raw = packet->pdu()->find_pdu<Tins::RawPDU>();
cout <<"RawPDU header_size: " << raw->header_size() << endl;
cout <<"RawPDU payload_size: " << raw->payload_size() << endl;
cout <<"RawPDU payload().size(): " << raw->payload().size() << endl;
std::vector<uint8_t> buffer = raw->payload();
cout << endl;

for (int i =0; i < buffer.size(); i++ ){
    pprint_hex_uint8(buffer[i]);
    cout << " ";
}

cout << "\nbuffer size: " << buffer.size() << endl;
cout << "pkt size: " << packet->pdu()->size() << endl;
cout << "pkt trailer_size: " << packet->pdu()->trailer_size() << endl;
cout << "pkt header_size: " << packet->pdu()->header_size() << endl;
cout << "pkt ethernetII->trailer_size(): " << ethernetII->trailer_size() << endl;
cout << "ethernetII->inner_pdu()->size() " << ethernetII->inner_pdu()->size() << endl;

Output:

RawPDU header_size: 51
RawPDU payload_size: 51
RawPDU payload().size(): 51
// in wireshark, these are the payload bytes and the byte I think is missing is right after the last one here
0x00 0x00 0x00 0x33 0x00 0x00 0x00 0x04 0x01 0x4d 0x6f 0x64 0x65 0x6c 0x6c 0x20 0x20 0x00 0x00 0x00 0xc0 0x00 0x00 0x05 0x27 0x00 0x01 0x7a 0x19 0x00 0x01 0x80 0x00 0x00 0x02 0x22 0x5c 0x00 0x01 0xdd 0xa4 0x5a 0xa5 0x00 0x01 0x19 0xa6 0x04 0x0e 0xbb 0x23
buffer size: 51
pkt size: 93
pkt trailer_size: 0
pkt header_size: 14
pkt ethernetII->trailer_size(): 0
ethernetII->inner_pdu()->size() 79

All the stats are correct other then packet->pdu()->size() which should be 94 (the header is 14 and inner pdu 79) I'm not sure whether there is something else I can do to count this byte? Also, in the RawPDU why are the payload and header sizes the same? I'd expect the header size to be 14.
Thanks,

Landes
  • 1
  • 1
  • The packet size is in the IP header. You seem to be asking about the frame size. The packet is the payload of the frame. – Ron Maupin Jan 27 '21 at 19:45
  • You mean I should get the frame instead of the packet? I thought EthernetII is the frame in this case. I could not find a 'frame' class. Is there a lower layer class than EthernetII I should look for? – Landes Jan 27 '21 at 20:24
  • Ethernet frames have trailers, but IP packets do not. The total packet size is a field in the IP header, and you can get it from there. – Ron Maupin Jan 27 '21 at 20:29
  • I also printed the trailer size, it returns zero in this case. The total length in the IP header shows 79 in wireshasrk (which is the payload of the frame: ethernetII->inner_pdu()->size() ) – Landes Jan 27 '21 at 20:55
  • Right. You are asking the packet size, and that is in the IP header. There is nothing else you need to add to figure the packet size. If you are asking about the frame, then it is not as clear. The frame trailer has nothing to do with the packet or packet size. – Ron Maupin Jan 27 '21 at 20:58
  • Sorry, yes I'm asking for the entire frame size. I'll update my question – Landes Jan 27 '21 at 21:43

0 Answers0