ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] incorrect packet length

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "J.Smith" <lbalbalba@xxxxxxxxxxx>
Date: Sat, 7 Dec 2002 02:22:59 +0100
>
> Incorrectly?  The packet *is* 1514 bytes long - 14 bytes of Ethernet
> header, 20 bytes of IP header, 20 bytes of TCP header, and 1460 bytes of
> TCP payload.
>
> There are 1500 bytes of Ethernet *payload*; that's what tcpdump is
> reporting.  That's the maximum amount of MAC client data according to
> 3.1.1 "MAC frame format" in IEEE Std 802.3-2002 - but that doesn't
> include the destination address, source address, and length/type fields
> in the Ethernet header, nor does it include the FCS at the end.
>

Oops. Guess I seriously screwed up here.


But now that I appear to be in the process of getting my facts straight
anyway, please allow me to verify of I understand this correctly now:

I was always under the (wrong, apparently) impression that the maximum
transmission unit (MTU) size that's defined in the OS for any given network
interface (1500 bytes in case of an Ethernet network) referred to the
maximum *total* frame size that the physical medium was able to carry. Turns
out that this MTU actually *excludes* the header/trailer that's appropriate
for the type of physical medium in use (Ethernet in this case). And because
this MTU only refers to the physical layer's payload, not the total frame
size, this means that the total frame size at the physical layer can be
larger than this MTU. This is true not only for Ethernet, but for all other
physical layer protocols as well.


Might it then not be a good idea if the term "Packet length (bytes)" that
gets used in the Ethereal header column is renamed to something like "Frame
length (bytes)" ? The term 'packet' more often than not seems to get
associated with the network layer protocols like TCP/IP, while the term
'frame' seems mostly associated by physical layer protocols like Ethernet or
FDDI. This seems more appropriate for the type of data that gets displayed
in this column. Or have I understood this part incorrectly as well ?



Anyway, thanks for helping me clear up my understanding of networking. I
sincerely apologise if I caused any confusion by posting this message.

J.Smith.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube