Looking at the output from Procmon and TCPdump, everything matches up until we hit a length of 3760. So what is happening here? It turns out, if you want to match the packets up, one of them needs to be split.
So it turns out there is an exception to the rule. If the length equals 3760, we have to add the length of the next entry to it. The packets in TCPdump should add up to this combined number. Looking at the example, the third packet will be split between the two Procmon entries.
No comments:
Post a Comment