Last Updated: 2022-03-12 00:51:34 UTC
by Didier Stevens (Version: 1)
That the ICMP packets do not actually contain an IP packet, but just a part of it.
RFC 792 states that the destination unreachable message only contains the IP header and 8 bytes of the TCP header (that would be the source and destination port, and the sequence number):
That is not the case in my example:
The full TCP packet is included, 32 bytes long.
RFC 792 is more than 40 years old, and has been updated several times since.
For example, in RFC 4884, you can find this:
In a nutshell: include as many bytes from the original datagram as possible, without risking fragmentation.
And for a TCP SYN packet, like in my example, that is no problem at all.