Hi there, I'm using Wireshark in an attempt, along with other means, as a learning tool. Bearing in mind that the supposed minimum length of an Ethernet Frame is 64 bytes, I can't quite work out the following capture from Wireshark. I basically sent a ping of 1 byte in size to my default gateway, and here is the information from Wireshark: I can't understand why the frame only seems to be 43 bytes in length. According to this article: http://wiki.wireshark.org/Ethernet The preamble (8 bytes) and Frame Check Sequence (4 bytes) may not be displayed, yet this takes that total frame size up to 55 bytes. Am I reading this incorrectly, ir missing something? Are there implementations of Ethernet that do not specify a minimum frame length? Any help would be appreciated asked 21 Jan '11, 05:08 whitezombie |
2 Answers:
This is outgoing traffic from your PC. That means that it hits the capture engine before passing on to the network card. It's at that lower layer that the 64 octet rule comes into play. Try capturing 'on the wire' with another PC on a hub or monitor port of a switch. Then spot the difference. answered 21 Jan '11, 05:28 Jaap ♦ |
Hi, no, the Preamble is not part of the frame and cannot be captured with Wireshark (and I know of no other other network analyzer using standard PC NICs that could). Your 60 bytes frame is the 64 byte minimum frame minus the FCS, which had been discarded since it's not necessary to keep it. If it had been wrong the frame would have been dropped anyway, and Wireshark would never have seen it. The Ethernet header is 14 bytes, 6 for the destination address, 6 for the source address, and 2 for the ethertype telling which protocol header comes next. Usually it's hex 0800 for IPv4 or 0806 for ARP, but others can be observed sometimes as well (IPv6 coming up with 86DD). If you take a look at your 43 byte ping packet you will see that everything's in there: the ethernet, ip, icmp headers plus your 1 byte ping payload. All that is missing is the padding that is added later to get to 60 bytes, which will be enough to get to 64 required minimum size with the FCS applied. answered 22 Jan '11, 17:01 Jasper ♦♦ Ah yes, well done. For the outgoing Ping. IP Header Length 20 bytes, ICMP 8 bytes, plus 1 byte pay load. Ethernet - 6 bytes each for the Mac address of my network card, and then my default gateway, plus two for the type (IP (0x0800). Thanks for all your help. (24 Jan '11, 13:19) whitezombie |
Aha, thank you, I looked at the response, and the "Bytes on Wire" is 60, so presumably this is the frame, with buffers, having had the Preamble and/or the FCS removed, and passed 'up', and captured by Wireshark?
Thank you very much!
Yes and no.
Yes - the FCS is usually removed from all frames, so you see 60 bytes at the receiving side when the frame had 64 bytes for real.
And no - it is not the preamble missing on the sender side, but the padding bytes. What you see is 14 bytes ethernet header, 20 bytes IP header, 8 bytes ICMP header, 1 byte payload, equals 43. The NIC will later add padding bytes to get it up to 60 bytes and adds the FCS. Voila, 64 bytes - but Wireshark grabs the packet too early as Jaap already explained, so you see 43 bytes on the sender side.
Thank you Jasper (and Jaap). Sorry, what I meant was when I see the response to the ping, it shows as 60 bytes, which I presumed was the frame minus the FCS. Dopes the Preamle not actually display as part of the frame, as it's all it's doing is, according to Cisco: "Preamble (PRE) - Consists of 7 bytes. The PRE is an alternating pattern of ones and zeros that tells receiving stations that a frame is coming, and that provides a means to synchronize the frame-reception portions of receiving physical layers with the incoming bit stream", so may not strictly be seen as part of the frame?
Presumably then, with the outgoing frame, if it consists of 14 bytes ethernet header, and the rest being info from the upper layers, the data is not captured as it leaves the Ethernet interface, as there's no evidence yet of Ethernet SOF, DA, SA, Length/Type, Data and FCS. Though not sure what the Ethernet header consists, of, will have to have a look.