I've a pcap file with several ARP packets. If there is a protocol after ARP, how can wireshark identify it? If it is an IP packet, I can see the next protocol in the protocol field. But ARP does not have this field. asked 18 Nov '14, 04:53  Struci |
One Answer:
Arp is a standalone protocol, it's not a transport layer for other protocols. See Internet Standard 37 and the Wikipedia page. answered 18 Nov '14, 05:00  grahamb ♦ |
Thanks grahamb. And you can identify ARP by the type field of ethernet, right?. And how can you identify an protocol after ARP? Or how can I know how many padding bytes there are after the ARP protocol?
The padding issue is more difficult. Wireshark has a display filter field eth.padding that contains the padding bytes, but nothing I know of to actually say the length of that padding.
You seem to be implying that you have Ethernet frames contain ARP traffic followed by something else. If so can you post an example capture illustrating this somewhere,. e.g. CloudShark, Dropbox, Google Drive, and post the link back by editing your question?
RIght.
As Graham said, there isn't a protocol after ARP within a given Ethernet frame - there's the Ethernet header, there's the ARP packet, there's the padding, and that's it. The same applies for other link-layer protocols such as 802.11, except that the other protocols don't have a minimum frame length, so there's no padding.
Yes, the only stuff after ARP would, on Ethernet, be padding. You find out how many padding bytes there are by: