From owner-freebsd-hackers  Thu Jul 11 08:06:22 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA18729
          for hackers-outgoing; Thu, 11 Jul 1996 08:06:22 -0700 (PDT)
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA18715
          for <freebsd-hackers@freebsd.org>; Thu, 11 Jul 1996 08:06:20 -0700 (PDT)
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <15569(2)>; Thu, 11 Jul 1996 08:05:14 PDT
Received: from localhost by crevenia.parc.xerox.com with SMTP id <177476>; Thu, 11 Jul 1996 08:05:08 -0700
To: Rick Weldon <rick@wisetech.com>
cc: freebsd-hackers@freebsd.org
Subject: Re: BPF implementation questions 
In-reply-to: Your message of "Fri, 28 Jun 96 19:11:06 PDT."
             <31D490BA.446B9B3D@wisetech.com> 
Date: Thu, 11 Jul 1996 08:05:03 PDT
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <96Jul11.080508pdt.177476@crevenia.parc.xerox.com>
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <31D490BA.446B9B3D@wisetech.com> you write:
>The bpf_hdr is lying to me on
>exactly how much TCP data is there in a round about sort of way.

No, it's not.  It's telling you the length of the packet that it captured
off the network.  Since Ethernet has a minimum packet length, short packets
need to be padded by the sender, and the two extra bytes that you're seeing
are padding added by the host that sent the packet.

You need to look at the IP length field (0x002c in your example packet, which
points at the end of the TCP header) to find the end of the TCP packet.

  Bill