Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Size of Frames

From: Jim Aragon <Jim@xxxxxxxxxxxxxxxxx>
Date: Sat, 07 Jul 2012 12:58:08 -0700
At 09:41 AM 7/7/2012, you wrote:

As a beginner, I am staring at a lot of trace files to get up to speed. I am trying to learn the expected sizes (min, max, etc.) of packets. I have read that the minimum size of an Ethernet frame is 64 bytes, yet my trace files show many frames that are 54 or 60 bytes long. I also see frames where zero-based padding (up to 6 bytes worth) are added at the very end of the frame. These zeros are attributed to (i.e., highlighted) the Ethernet II layer by Wireshark. But I cannot determine a reason why the padding is occasionally used.

The minimum Ethernet frame size is 64 bytes. That includes a four-byte frame check sequence (FCS). Wireshark usually sees outbound frames before the FCS is added, and sees inbound frames after the FCS has been stripped off, at least in Windows systems. Therefore, the minimum frame size when the frame gets to Wireshark is 60 bytes. If the frame is smaller than the minimum frame size, padding bytes must be added to bring the frame up to the minimum size. In the case of inbound frames, the padding is added by the sending system, so inbound frames should always be at least 60 bytes. In the case of outbound frames, Wireshark sees the frame before the padding is added and the frame is transmitted onto the wire, so these will sometimes be less than 60 bytes.

You can use this to determine where the data was captured. If you're looking at a trace file, and want to know if the capture took place on one of the endpoints, and if so, which one, look for frames less than 60 bytes. The system sending these frames is the one where the data was captured.

Jim