Menu
I'm sending and recieving a packet with the module scapy.
a = sr(IP(src="192.168.1.100",dst="8.8.4.4")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,qd=DNSQR(qname="google.com",qtype="ALL",qclass="IN"),ar=DNSRROPT(rclass=3000)),timeout=1)
If I display the packet size of of the command and response:
#command size
print len(a[0][0][0])
>67
#response size
print len(a[0][0][1])
>496
But if I capture the packets with Wireshark, it shows me a packet length:
command: 83 bytes
response: 512 bytes
So we know in Wireshark we have an additional size of 16 bytes for command and response..
83-67 =16
512-496 =16
And I want to know (just for educational proposes) what are the additional 16 bytes captured by Wireshark? Somebody have a deep 'knowhow' in networking and can tell me what happens?
EDIT:
Output of a[0].summary():
IP / UDP / DNS Qry "google.com" ==> IP / UDP / DNS Ans "74.125.68.102"
Output of a[0][0][0].show():
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = **67**
id = 1
flags =
frag = 0
ttl = 64
proto = udp
chksum = None
src = 192.168.1.100
dst = 8.8.4.4
\options \
###[ UDP ]###
sport = 41454
dport = domain
len = None
chksum = None
###[ DNS ]###
id = 0
qr = 0
opcode = QUERY
aa = 0
tc = 0
rd = 1
ra = 0
z = 0
ad = 0
cd = 0
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 1
\qd \
|###[ DNS Question Record ]###
| qname = 'google.com'
| qtype = ALL
| qclass = IN
an = None
ns = None
\ar \
|###[ DNS OPT Resource Record ]###
| rrname = '.'
| type = OPT
| rclass = 3000
| extrcode = 0
| version = 0
| z = D0
| rdlen = None
| \rdata \
Output of a[0].show():
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = **496**
id = 41777
flags =
frag = 0L
ttl = 56
proto = udp
chksum = 0xfb3
src = 8.8.4.4
dst = 192.168.1.100
\options \
###[ UDP ]###
sport = domain
dport = 41454
len = 476
chksum = 0x2fef
###[ DNS ]###
id = 0
qr = 1L
opcode = QUERY
aa = 0L
tc = 0L
rd = 1L
ra = 1L
z = 0L
ad = 0L
cd = 0L
rcode = ok
qdcount = 1
ancount = 19
nscount = 0
arcount = 1
\qd \
|###[ DNS Question Record ]###
| qname = 'google.com.'
| qtype = ALL
| qclass = IN
\an \
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.102'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.113'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.139'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.100'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.138'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = A
| rclass = IN
| ttl = 299
| rdlen = 4
| rdata = '74.125.68.101'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = AAAA
| rclass = IN
| ttl = 299
| rdlen = 16
| rdata = '2404:6800:4003:c02::65'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = NS
| rclass = IN
| ttl = 21599
| rdlen = 16
| rdata = 'ns2.google.com.'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 17
| rdata = '\x00\x14\x04alt1\x05aspmx\x01l\xc0\x0c'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = SOA
| rclass = IN
| ttl = 59
| rdlen = 34
| rdata = '\xc0\xa4\tdns-admin\xc0\x0c\x07\xbe\xf2\xb0\x00\x00\x03\x84\x00\x00\x03\x84\x00\x00\x07\x08\x00\x00\x00<'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 9
| rdata = '\x00(\x04alt3\xc0\xbd'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 4
| rdata = '\x00\n\xc0\xbd'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = 257
| rclass = IN
| ttl = 21599
| rdlen = 19
| rdata = '\x00\x05issuesymantec.com'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = NS
| rclass = IN
| ttl = 21599
| rdlen = 16
| rdata = 'ns3.google.com.'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 9
| rdata = '\x00\x1e\x04alt2\xc0\xbd'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = NS
| rclass = IN
| ttl = 21599
| rdlen = 16
| rdata = 'ns1.google.com.'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = MX
| rclass = IN
| ttl = 599
| rdlen = 9
| rdata = '\x002\x04alt4\xc0\xbd'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = TXT
| rclass = IN
| ttl = 3599
| rdlen = 36
| rdata = 'v=spf1 include:_spf.google.com ~all'
|###[ DNS Resource Record ]###
| rrname = 'google.com.'
| type = NS
| rclass = IN
| ttl = 21599
| rdlen = 16
| rdata = 'ns4.google.com.'
ns = None
\ar \
|###[ DNS OPT Resource Record ]###
| rrname = '.'
| type = OPT
| rclass = 512
| extrcode = 0
| version = 0
| z = D0
| rdlen = 0
| \rdata \
912
asked Mar 09 '26 13:03
When you are using the .len attribute of the packet, which, in your case, happen to be the value of the len field of the IP layer. It does not contain the Ether layer (14 bytes).
You should use len() (as you do in your example) to get the packet length. Also, you should specify the layer 2 (and hence, use srp() instead of sr()):
a = srp(Ether() / IP(src="192.168.1.100",dst="8.8.4.4") /
UDP(sport=RandShort(),dport=53) /
DNS(rd=1,qd=DNSQR(qname="google.com",qtype="ALL",qclass="IN"),
ar=DNSRROPT(rclass=3000)),
timeout=1)
print len(a[0][0][0]), len(a[0][0][1])
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
