This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

I've a pcap file with several ARP packets. If there is a protocol after ARP, how can wireshark identify it?

If it is an IP packet, I can see the next protocol in the protocol field. But ARP does not have this field.

asked 18 Nov '14, 04:53

Struci's gravatar image

Struci
11122
accept rate: 0%


Arp is a standalone protocol, it's not a transport layer for other protocols. See Internet Standard 37 and the Wikipedia page.

permanent link

answered 18 Nov '14, 05:00

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks grahamb. And you can identify ARP by the type field of ethernet, right?. And how can you identify an protocol after ARP? Or how can I know how many padding bytes there are after the ARP protocol?

(18 Nov '14, 05:46) Struci

The padding issue is more difficult. Wireshark has a display filter field eth.padding that contains the padding bytes, but nothing I know of to actually say the length of that padding.

You seem to be implying that you have Ethernet frames contain ARP traffic followed by something else. If so can you post an example capture illustrating this somewhere,. e.g. CloudShark, Dropbox, Google Drive, and post the link back by editing your question?

(18 Nov '14, 06:11) grahamb ♦

And you can identify ARP by the type field of ethernet, right?

RIght.

And how can you identify an protocol after ARP?

As Graham said, there isn't a protocol after ARP within a given Ethernet frame - there's the Ethernet header, there's the ARP packet, there's the padding, and that's it. The same applies for other link-layer protocols such as 802.11, except that the other protocols don't have a minimum frame length, so there's no padding.

Or how can I know how many padding bytes there are after the ARP protocol?

Yes, the only stuff after ARP would, on Ethernet, be padding. You find out how many padding bytes there are by:

  • finding out how big the entire Ethernet packet is;
  • subtracting 14 from that value for the Ethernet header (and, if the packet you have includes the FCS, subtract another 4 bytes for the FCS);
  • parsing the ARP packet to figure out how big it is (add the size of the fixed-length portion of the ARP packet to the lengths of the addresses in the packet);
  • subtracting the size of the ARP packet from the result of the previous subtraction.
(19 Nov '14, 15:52) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×178
×78

question asked: 18 Nov '14, 04:53

question was seen: 2,953 times

last updated: 19 Nov '14, 15:53

p​o​w​e​r​e​d by O​S​Q​A