On Mon, May 24, 2004 at 06:26:13PM -0700, Ronald C. Wagner wrote (in
HTML; plain-text mail is preferred, as not everybody's mail reader
conveniently handles HTML mail):
> I want to see ethernet encapsulated packets as per RFC 894. These
> packets would have a 6 byte destination MAC, 6 byte source MAC, 2 byte type,
> 46-1500 bytes of data and then a 4 byte CRC.
>
> Regardless of the OS dependancies, will ethereal display such packets?
It depends on the format of the capture file.
Libpcap-format capture files sometimes do, and sometimes don't, include
the CRC - and there's no per-packet flag to indicate whether the packet
has a CRC or not. Ethereal, when handling a libpcap-format file, will
attempt to guess whether the packet data includes the CRC, based on the
length of the raw packet data and length fields at other layers such as
the IP layer. This mostly works, although there are, I think, cases
where it guesses incorrectly.
Older EtherPeek captures appear to have the FCS in some packets; the
code in Ethereal to read those captures decides whether the packet has
an FCS based on a per-packet flag in the file that *appears* to indicate
whether the packet has an FCS.
Some Windows Sniffer files appear to include the FCS in Ethernet
packets; the code in Ethereal to read those captures decides whether the
packet has an FCS based on some data in the per-packet record header
that *appears* to indicate whether the packet has an FCS.
Files from Shomiti Surveyor appear to have an FCS in Ethernet packets;
Ethereal assumes they do.
Ethereal assumes no other captures have an FCS in Ethernet packets.
Now, an additional question might be "will packets *captured* by
Ethereal include an FCS?" That's OS-dependent, as per the FAQ. Those
files are in libpcap format, so Ethereal's heuristics will be used when
Ethereal reads the data it captured.
