Wireshark capture problem
Results 1 to 7 of 7

Thread: Wireshark capture problem

Hybrid View

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    183

    Wireshark capture problem

    Hi Everyone

    My OS is XP Pro SP2 connected via wireless to an ADSL router. I've started to look at traffic on my network, initially with WinDump and recently with Wireshark. I've been led to believe that the minimum and maximum length of an ethernet frame is 64 and 1518 bytes respectively (source MAC = 6, destination MAC = 6, type = 2, data = 46 to 1500 and CRC = 4).

    I started a Wireshark capture and then ran some commands at the CMD console and navigated to some new web pages. I looked at the capture and, in particular, ARP in the protocol column. I was surprised to see that every ARP frame was reported as "42 bytes on wire, 42 bytes captured" and the protocols in the frame were reported as "eth:arp" (I checked very carefully and counted the number of bytes in the frame as 42 decimal rather than 42 hex). I was under the impression that, if the data section of the ethernet frame was less than 46 bytes, padding was appended to fill up to 46 bytes.

    Can someone give me an idea what's wrong with my thought process?

    As a spin-off, when I click on "Ethernet II" (in the packet details window), it correctly hi-lights (in the packet bytes window) the contiguous 2 MAC addresses and type but the CRC at the end of the frame is not shown. Why?

    Thanks for your time.

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    You can try starting with reinstalling winpcap cant hurt to try

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    I had a version of Winpcap installed prior to using Wireshark and I allowed the install to overwrite it with the version that came with the Wireshark install package. I've uninstalled both Winpcap and Wireshark subsequently, rebooted and reinstalled Wireshark (and it's default Winpcap). Needless to say, the padding still doesn't show and the ARP frame is still shown as 42 bytes.

    As a matter of interest, I've checked out the Wireshark wiki and it seems that the vast majority of Ethernet hardware filters out the preamble and CRC and doesn't pass it to Wireshark so at least part of my original question has been answered. It's a pity that there is no Wireshark forum (there are mailing lists but they're not as user-friendly as a forum).

    Does anyone else have any suggestions? Can someone else with Wireshark capture some ARP traffic and check if they see padding and if the frame size is more than 42 bytes? My version of Wireshark is Version 0.99.6a (SVN Rev 22276), if it's relevant. I issued <ping 192.168.0.1>, which is my ADSL router.

  4. #4
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I believe 42 bytes is correct. What you're thinking of is something else. You should have an Ethernet header that is 14 bytes, then an ARP packet that's 28 bytes. I did see something showing 64 bytes on google though. http://www.ists.dartmouth.edu/classroom/crs/arp_mac.php

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    I looked at the link that you gave and it shows the size of the frame as 64 bytes which, according to my reading, is correct. My frame is displayed as 42 bytes

    I've also collected ICMP traffic following <ping -l 1 192.168.0.1> which sends a single character "a" in the payload. There is no padding and the size of the frame is given as 43 (decimal) bytes. For some reason, my system isn't showing padding which should be appended to the data in the ethernet frame.

    Any other ideas?

  6. #6
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    http://www.raduniversity.com/network.../ARP/arp.htm#4

    That's what you're getting I'm pretty sure. I don't think there's anything missing. I think you're getting what you're supposed to be getting.

  7. #7
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    I found a video by Laura Chappell (the "guru" at Wireshark University) in which she demonstrated faulty padding in an ethernet frame. The padding was either zeros or lifted from RAM so, in the latter case, it could contain passwords etc. (I think the actual padding applied depended upon the NIC or driver). The video showed ARP traffic having been collected and padding was applied, unlike in my system at present. It's a pity that I don't have access to another PC, otherwise I'd set it up to capture some traffic that I could compare.

Similar Threads

  1. game instalation problem?
    By unvi$ible in forum AntiOnline's General Chit Chat
    Replies: 3
    Last Post: July 26th, 2005, 12:13 AM
  2. Spam problem
    By FamStars&Straps in forum Miscellaneous Security Discussions
    Replies: 2
    Last Post: October 12th, 2003, 05:33 AM
  3. 500 mile email problem
    By Tedob1 in forum Tech Humor
    Replies: 0
    Last Post: December 23rd, 2002, 03:58 PM
  4. C problem...
    By Rna in forum General Programming Questions
    Replies: 4
    Last Post: May 22nd, 2002, 07:03 AM
  5. Help! I've got a nasty IDE problem
    By thesecretfire in forum Hardware
    Replies: 16
    Last Post: May 17th, 2002, 12:31 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides