I use Wireshark V1.12.0 On a first platform, at different times, I record the same flow with a lot of frames with a eth.fcs_bad status ! I build a second identic platform in my office. With another PC, WIRESHARK 1.12.0, I see the same flow with a lot of frames with a eth.fcs_bad status ! On this second platform I check this flow with another sniffer. I don't see theses eth.fcs_bad frames. What appends ? Do you know this problem ? Thank you for your help. Best regards asked 14 Aug '14, 08:42  EURO59 |
One Answer:
Maybe you should turn off checking the FCS in the Ethernet dissector settings, because your frames most likely do not contain the FCS anyway. Only some hardware analyzers record those; normal PCs with standard NICs don't. answered 14 Aug '14, 08:44  Jasper ♦♦ |
...although some NICs can be configured to do so, and some drivers might do so. (I put the whole "heuristically determine whether there's an FCS or not" mechanism in because the Mac I was using at the time at work did include the FCS in incoming frames.)
Hi,
Thank you for your answers
Of course if I switch off the eth.check-fcs there is no eth.fcs-bad frames anymore...
In my case my file records one TCP connection with MODBUS application protocol TCP connection is OK, MODBUS DATA are exchanged in each WAY Nearly 20 % of frames are in eth.fcs-bad. I don't understand why only PSH,ACK TCP frames from client to server have all an eth.fcs-bad status ! Note that theses frames have no data then they are short and have a padding
What do you think about that ?
Best regards
Probably the heuristics mentioned by Guy thinks that the padding are the FCS