ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] Ethernet II Trailer identification

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Eduardo Escudero Sánchez" <edu.kungfu@xxxxxxxxx>
Date: Wed, 14 Jun 2006 09:39:08 +0200
How can ethereal determine the size of the trailer based on the size of rest of the frame? In the data part of the frame there could be a lot of different protocol-dependent data. What im doing now is analize the data inside the ethernet II frame and seeing if there is more data than the upper protocol expects. For example, if i have an ethernet II frame with a length/type field of 0x0800 (an IP frame) i take the data and analizes it as an ip datagram and i retrieve the data length field of the datagram. The i see with that length if it is the length of the data part  of the ethernet frame or if it is less than the legth of the data part of ethernet II. If the second case is happening the i obtain the difference between both values and get that way the trailer length But this is not a very efficient approach because if i want to stay independent of upper protocols it means that if i want to analize a MAC level frame i have to step onto uppper levels to achieve it. That means too that i must have implememnted frame analizers for all the upper protocols in order to ask any of them what is the length of their data to obtain the real length of the ethernet II data.
Any idea? thanks

 
2006/6/11, Stephen Fisher <stephentfisher@xxxxxxxxx>:
On Sun, Jun 11, 2006 at 09:03:33AM +0200, Eduardo Escudero S?nchez wrote:

> The most i can do only with the ethernet ii field is seeing if the
> data part of the frame has a length of 46 bytes and if it is the case
> i know there could be trailer bytes added to it. Anyone can explain me
> this to me a little more?(Or maybe give me a reference)

You're right that the Ethernet_II frame header doesn't tell us if there
is a trailer.  There will always be a trailer added by the NIC upon
transmission if there is not enough data to make the frame at least 64
bytes (including the 14 byte header + 4 byte trailer).  From a quick
glance at the code in packet-eth.c,Ethereal determines if there may be
a trailer present based on the size of the rest of the frame  and
displays the last number of bytes that would be the trailer if
appropriate.  It also takes into account whether the driver reported the
FCS along with the data or not (or even "maybe").  On my current
machine, I only see the trailer on received frames and not transmitted
since the NIC hasn't put the trailer on yet.

Let us know if you want more information :)


Steve

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube