[Snort-users] diff between IpLen and DgmLen?

Matt Kettler mkettler at ...4108...
Tue Aug 13 09:33:02 EDT 2002

Anyone more code-involved with snort feel free to correct me, but I'm 
interpreting all these lengths as the ones right out of the packet headers, 
which appears to be correct.

dgmlen should be the TOTAL length, inclusive of all IP headers and all 
higher-layer protocol headers (ie: tcp). tcplen is the length of the TCP 

so in summary:

dgmlen - total packet length as seen by the IP layer, inclusive of IP 
header, any higher layer headers, and the payload.
iplen - the IP header length.
tcplen - the TCP header length (only applies to TCP/IP traffic, not UDP or 
ICMP, obviously)

also note that "payload" is really relative to what layer you are talking 
about. For example at the ethernet layer, IP headers are part of the payload.

Assuming you're talking "application layer payload available to read from a 
socket after a TCP/IP stack processes it" payload len should be as follows:

for IP packets carrying tcp segments:
         payload = dgmlen - iplen - tcplen

for IP packets carrying udp packets
         payload = dgmlen -iplen - 8 (udp header is always 8 bytes).

and as a more complicated example.. ICMP echos (reply or request):
         payload = dgmlen -iplen - 4 (ICMP header) - 8 byte (echo request)

At 03:09 PM 8/13/2002 +0800, you wrote:
>is dgmlen the payload length?
>----- Original Message -----
>From: "Matt Kettler" <mkettler at ...4108...>
>To: "SW" <s.wun at ...6605...>; <snort-users at lists.sourceforge.net>
>Sent: Tuesday, August 13, 2002 12:22 PM
>Subject: Re: [Snort-users] diff between IpLen and DgmLen?
> > IpLen (20 in most cases where no IP options are specifed) is the IP header
> > length. IP header options are rarely used, unlike TCP options which are
> > quite common. Very few routers will honor IP header options like
> > source-route nowdays.
> >
> > dgmlen is the total datagram (packet) length.
> >
> > Both values are contained in the IP header of all packets. the IPLen is a
> > 4-bit value and is in increments of 4 bytes (ie, max header length = 15*4
> > 60), the dgmlen is a 16bit field in bytes.
> >
> > At 11:41 AM 8/13/2002 +0800, SW wrote:
> > >Hi,
> > >
> > >I found there are two diffferent length in each msg in the alert file.
> > >What is the difference between IpLen and DgmLen?
> > >
> > >Thanks
> > >SW
> >
> >

More information about the Snort-users mailing list