Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Ethernet packets are less than 64 bytes

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: wireshark@xxxxxxxxx
Date: Tue, 13 Nov 2007 10:24:18 -0600 (CST)
Is wireshark running on the same pc that you did the ping from?  If so
you're only going to see internal packets (before the frame hits the
wire), and thus smaller packets not including the padding are going to be
valid.  43 is a valid size for a packet that didn't actually hit the wire.

Kevin.


>
> I've started to experiment recently with Version 0.99.6a (SVN Rev 22276)
> and WinPcap version 4.0.1 which was the recommended version when I
> installed Wireshark.  As far as I'm aware, ethernet frames should be
> between 64 and 1518 bytes long and, if the data section is less than 46
> bytes, padding should be added to make up the minimum length.  Further, I
> believe that this minimum length is something to do with collisions.
>
> I looked at some traffic on my network and saw frames having only eth:arp
> protocols with only 42 bytes (I counted very carefully and it's 42
> decimal, rather than 42 hex).  I collected traffic following ping -l 1
> 192.168.0.1 and that had eth:ip:icmp:data in the "Protocols in frame"
> area.  The size of the frame was reported as "43 bytes on wire, 43 bytes
> captured".  It appears that my system is ignoring the padding.  I saw a
> video from Wireshark University which dealt with rogue padding leaking
> potentially confidential data and the clip showed ARP traffic which *did*
> have the correct amount of padding to fill the ethernet frame.  I don't
> know what version of Wireshark was used.  I have seen such "short" frames
> with POP traffic (when not actually downloading any mail, just
> interrogating the server to see if there's any mail present).  When I
> capture HTTP traffic, the frame length is >=350.
>
> I'm confused.  Why am I not seeing padding?  Is there a setting somewhere
> that says "ignore padding"?  If so, I've not been able to find it.  Is
> there something about my system (laptop connected via wireless to an ADSL
> router, XP Pro SP2 fully patched) which is conflicting with Wireshark?  Is
> this regarded as a "bug" or a "feature"?  My concern is "if I see this
> beheviour that I didn't expect nor can I understand, is there anything
> else happening which may render my captured data inaccurate?".
>
> Thanks for your time.
>
> _________________________________________________________________
> Celeb spotting � Play CelebMashup and win cool prizes
> https://www.celebmashup.com_______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube