This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all, I'm posting to get help about the least packet size of Ethernet. as i know, the least packet size of ehternet is 64bytes when i capure my laptop computer during access some web-server(www.daum.net) i found some strange about packet(or frame) size of it.

A size of some packet of them is less than 64bytes. for all that, everything was good exept very small some packets tcp ack packet size was just 54bytes(includes L2 header)

I wonder why the packet was so small(it less than 64bytes)? and why it was considered as a good packet?

alt text

detail information of frame#15 alt text

asked 08 Apr '14, 22:16

Ray_Han's gravatar image

Ray_Han
566611
accept rate: 0%


That's because your capture setup is flawed. You captured on the PC sending and receiving packets, and that gives you wrong results.

What happens here is that your PC is running with a modern network card that takes over certain tasks from the main CPU, like calculating the checksums, large payload segmentation, and padding. This means that your PC is sending incomplete packets to the network card which then does all the work, but by then, Wireshark has already captured the packet before it was finalized. That way the padding to the full minimum size of 64 bytes wasn't complete and you end up with apparently short packets.

To verify this capture with a 3rd PC on a SPAN port and you'll see that your packets are fine. You can also verify this by capturing on the other system (that your PC is talking to) and you'll see perfect frames coming in.

permanent link

answered 09 Apr '14, 01:08

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper Thanks for your explanation. it's good help to understand my capture. thanks again and have a nice day!

(09 Apr '14, 02:01) Ray_Han

@Ray_Han If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(09 Apr '14, 02:34) grahamb ♦

(Actually, even ancient Ethernet adapters calculate the Ethernet CRC and pad the packets out to the minimum size; it's TCP and IP checksum offloading, and TCP large payload segmentation, that are relatively new features for network adapters.

So, no matter what Ethernet adapter you have, packets sent from the machine running Wireshark will not, when captured, be padded out to the minimum length.)

(10 Apr '14, 10:45) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×25

question asked: 08 Apr '14, 22:16

question was seen: 2,331 times

last updated: 10 Apr '14, 10:46

p​o​w​e​r​e​d by O​S​Q​A