October 29th, 2007 08:09 PM
Wireshark capture problem
My OS is XP Pro SP2 connected via wireless to an ADSL router. I've started to look at traffic on my network, initially with WinDump and recently with Wireshark. I've been led to believe that the minimum and maximum length of an ethernet frame is 64 and 1518 bytes respectively (source MAC = 6, destination MAC = 6, type = 2, data = 46 to 1500 and CRC = 4).
I started a Wireshark capture and then ran some commands at the CMD console and navigated to some new web pages. I looked at the capture and, in particular, ARP in the protocol column. I was surprised to see that every ARP frame was reported as "42 bytes on wire, 42 bytes captured" and the protocols in the frame were reported as "eth:arp" (I checked very carefully and counted the number of bytes in the frame as 42 decimal rather than 42 hex). I was under the impression that, if the data section of the ethernet frame was less than 46 bytes, padding was appended to fill up to 46 bytes.
Can someone give me an idea what's wrong with my thought process?
As a spin-off, when I click on "Ethernet II" (in the packet details window), it correctly hi-lights (in the packet bytes window) the contiguous 2 MAC addresses and type but the CRC at the end of the frame is not shown. Why?
Thanks for your time.
October 29th, 2007 11:32 PM
You can try starting with reinstalling winpcap cant hurt to try
October 30th, 2007 12:02 PM
I had a version of Winpcap installed prior to using Wireshark and I allowed the install to overwrite it with the version that came with the Wireshark install package. I've uninstalled both Winpcap and Wireshark subsequently, rebooted and reinstalled Wireshark (and it's default Winpcap). Needless to say, the padding still doesn't show and the ARP frame is still shown as 42 bytes.
As a matter of interest, I've checked out the Wireshark wiki and it seems that the vast majority of Ethernet hardware filters out the preamble and CRC and doesn't pass it to Wireshark so at least part of my original question has been answered. It's a pity that there is no Wireshark forum (there are mailing lists but they're not as user-friendly as a forum).
Does anyone else have any suggestions? Can someone else with Wireshark capture some ARP traffic and check if they see padding and if the frame size is more than 42 bytes? My version of Wireshark is Version 0.99.6a (SVN Rev 22276), if it's relevant. I issued <ping 192.168.0.1>, which is my ADSL router.
October 30th, 2007 04:50 PM
I believe 42 bytes is correct. What you're thinking of is something else. You should have an Ethernet header that is 14 bytes, then an ARP packet that's 28 bytes. I did see something showing 64 bytes on google though. http://www.ists.dartmouth.edu/classroom/crs/arp_mac.php
October 30th, 2007 07:06 PM
I looked at the link that you gave and it shows the size of the frame as 64 bytes which, according to my reading, is correct. My frame is displayed as 42 bytes
I've also collected ICMP traffic following <ping -l 1 192.168.0.1> which sends a single character "a" in the payload. There is no padding and the size of the frame is given as 43 (decimal) bytes. For some reason, my system isn't showing padding which should be appended to the data in the ethernet frame.
Any other ideas?
October 30th, 2007 08:41 PM
That's what you're getting I'm pretty sure. I don't think there's anything missing. I think you're getting what you're supposed to be getting.
October 31st, 2007 10:22 AM
I found a video by Laura Chappell (the "guru" at Wireshark University) in which she demonstrated faulty padding in an ethernet frame. The padding was either zeros or lifted from RAM so, in the latter case, it could contain passwords etc. (I think the actual padding applied depended upon the NIC or driver). The video showed ARP traffic having been collected and padding was applied, unlike in my system at present. It's a pity that I don't have access to another PC, otherwise I'd set it up to capture some traffic that I could compare.
By unvi$ible in forum AntiOnline's General Chit Chat
Last Post: July 26th, 2005, 12:13 AM
By FamStars&Straps in forum Miscellaneous Security Discussions
Last Post: October 12th, 2003, 05:33 AM
By Tedob1 in forum Tech Humor
Last Post: December 23rd, 2002, 03:58 PM
By Rna in forum General Programming Questions
Last Post: May 22nd, 2002, 07:03 AM
By thesecretfire in forum Hardware
Last Post: May 17th, 2002, 12:31 AM