This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Two IP headers before data – using jpcap

0

I am creating IP packets and sending them over ethernet. I am using jpcap library for it. When I analyze the packet using wireshark, it shows the protocol as eth:ip:ip, i.e. two IP headers followed by the data. So some of my data following the 1st IP header is treated as header itself!! This is creating a lot of trouble. This is bizzare, and I am not able to understand the reason behind it. Does it have to do anything with wireshark setting, or the jpcap library??

asked 26 Nov '13, 00:13

mohit93's gravatar image

mohit93
21226
accept rate: 0%

Please post a sample capture file somewhere (Google drive, dropbox,cloudshark.org, mega.co.nz)

(26 Nov '13, 02:51) Kurt Knochner ♦

This is the link for the wireshark capture. Notice the top line: Protocols in frame[eth:ip:ip] https://drive.google.com/file/d/0BzzMYblB9rVPajNhbGRIcTlxdFE/edit?usp=sharing

(26 Nov '13, 03:36) mohit93

2 Answers:

1

This is the link for the wireshark capture. Notice the top line: Protocols in frame[eth:ip:ip] https://drive.google.com/file/d/0BzzMYblB9rVPajNhbGRIcTlxdFE/edit?usp=sharing

If you look at the line below the marked one (blue), you will see that the IP protocol type is 'IP in IP'. That's the reason why Wireshark shows two IP headers. If that was not your intention, why did you choose protocol type 0x04 (IP in IP)? If you want TCP (protocol 0x06) or UDP (protocol 0x11) then please choose the right protocol in your IP header.

http://en.wikipedia.org/wiki/IPv4_header#Header

Maybe you just misinterpreted that field as IP protocol version and thus you chose the value of 4.

Regards
Kurt

answered 26 Nov '13, 03:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 26 Nov '13, 04:04

@Kurt: Thanks for pointing that out. So, the protocol field decides which higher-level protocol uses this IP header. But I just want to send this IP packet over ethernet. No other protocol should encapsulate it. So, What should I set my protocol number as??

(26 Nov '13, 03:53) mohit93

So, the protocol field decides which higher-level protocol uses this IP header.

yes.

But I just want to send this IP packet over ethernet. No other protocol should encapsulate it. So, What should I set my protocol number as??

Try 255, as that value is officially reserved and I guess Wireshark will not dissect it in any way.

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

If that does not work, try other values from the link above, like 253 or 254 (for testing and experimenting) or any value from the range (143-252 -> UNASSIGNED).

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

Regards
Kurt

(26 Nov '13, 04:02) Kurt Knochner ♦

@Kurt: Thanks for the great help. With 255, Wireshark is not dissecting it, so I can see my data alright. Just one more doubt: This reserved protocol number won't affect its transmission over Ethernet, and I can read the packet as it is on the other end? Do all the packets in the network need to have one of these standard protocol numbers? Aren't there any simple IP packets in the network, which are not used by any other layer?

(26 Nov '13, 04:18) mohit93

ust one more doubt: This reserved protocol number won't affect its transmission over Ethernet,

well, I cannot guarantee that, as it obviously depends on the device that handles your IP packet. A switch will not care, neither will a router. However a firewall might decide to drop the frame for several reasons (firmware, configuration, etc.).

Do all the packets in the network need to have one of these standard protocol numbers?

No, you don't have to choose one of the standard protocol numbers. You are free to choose whatever is appropriate for your protocol. However: firewalls will certainly only allow what they know and that's mostly the standard protocols, while most of the firewalls I know of, can be configured to allow whatever you want.

Aren't there any simple IP packets in the network, which are not used by any other layer?

Not that I know of, because the idea of IP is to be a transport mechanism (routing) for the payload (data) of higher layer protocols.

Please work through the TCP/IP guide. It will explain some of those TCP/IP basics.

http://www.tcpipguide.com/

or read the classic book, TCP/IP Illustrated Volume 1

https://www.google.com/?q=amazon+TCP%2FIP+Illustrated%2C+Volume+1

(26 Nov '13, 04:29) Kurt Knochner ♦

Thanks for the great help! It is a FPGA on the other side, so I don't think there will be any firewall issues! Thanks again!

(26 Nov '13, 04:38) mohit93

0

Wireshark doesn't make things up (it may annotate captures with such things as sequence analysis), it shows what has been captured.

answered 26 Nov '13, 01:48

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%