October 29th, 2007, 08:09 PM
Wireshark capture problem
My OS is XP Pro SP2 connected via wireless to an ADSL router. I've started to look at traffic on my network, initially with WinDump and recently with Wireshark. I've been led to believe that the minimum and maximum length of an ethernet frame is 64 and 1518 bytes respectively (source MAC = 6, destination MAC = 6, type = 2, data = 46 to 1500 and CRC = 4).
I started a Wireshark capture and then ran some commands at the CMD console and navigated to some new web pages. I looked at the capture and, in particular, ARP in the protocol column. I was surprised to see that every ARP frame was reported as "42 bytes on wire, 42 bytes captured" and the protocols in the frame were reported as "eth:arp" (I checked very carefully and counted the number of bytes in the frame as 42 decimal rather than 42 hex). I was under the impression that, if the data section of the ethernet frame was less than 46 bytes, padding was appended to fill up to 46 bytes.
Can someone give me an idea what's wrong with my thought process?
As a spin-off, when I click on "Ethernet II" (in the packet details window), it correctly hi-lights (in the packet bytes window) the contiguous 2 MAC addresses and type but the CRC at the end of the frame is not shown. Why?
Thanks for your time.
By unvi$ible in forum AntiOnline's General Chit Chat
Last Post: July 26th, 2005, 12:13 AM
By FamStars&Straps in forum Miscellaneous Security Discussions
Last Post: October 12th, 2003, 05:33 AM
By Tedob1 in forum Tech Humor
Last Post: December 23rd, 2002, 03:58 PM
By Rna in forum General Programming Questions
Last Post: May 22nd, 2002, 07:03 AM
By thesecretfire in forum Hardware
Last Post: May 17th, 2002, 12:31 AM