This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I was trying to make some small frame size packets (64b) and pass them through a switch to see how they react I was able to do something like that using python and scapy so thats good but i just wanted to confirm that the frame length showing up in the packet see attached image is actually the ethernet frame size it looks like it is.

alt text

asked 10 Dec '14, 13:33

robm's gravatar image

robm
11112
accept rate: 0%


On an Ethernet network, the minimum frame size is 64 bytes, including the 14-byte header and the 4-byte CRC at the end of the packet.

Thus, the minimum size of the Ethernet payload is 46 bytes; 14+46+4 = 64.

If a program wants to transmit, on an Ethernet, a packet with fewer than 46 bytes of payload - for example, an TCP segment, transmitted over IPv4, with only an ACK, so there's no TCP payload, and with no TCP or IP options, so that the payload would be 20 bytes of IPv4 header and 20 bytes of TCP header, for a total of 40 bytes - padding would have to be added to the end of the payload, to make the frame a total of 64 bytes. For the ACK-only segment, it would have 14 bytes of Ethernet header, 20 bytes of IP header, 20 bytes of TCP header, 6 bytes of padding, and 4 bytes of CRC.

So if a packet is captured from an actual Ethernet network, it should have always be at least 60 bytes if the CRC is discarded by the adapter before handing the packet to the host, or by the networking stack before handing it to the capture application (so that it's not part of the captured packet; that's usually the case) and at least 64 bytes if the CRC is not discarded.

However, if the packet is being transmitted by the host running the capture program, it will NOT be captured from an Ethernet network; Ethernet adapters do not receive the packets that they transmit. Instead, the OS kernel mechanisms that are used to do the capture will take a copy of the packet before it's handed to the adapter and hand that copy to the capture mechanism. The padding is almost always, if not always, added by the network adapter, not by the OS networking stack, so the packet that gets handed to the capture mechanism will not include the padding (or the CRC, for that matter, as that's also added by the network adapter).

Frame 2 in your capture is a TCP segment transmitted over IPv4. If it had only one byte of TCP data and no IP or TCP options, and it was being sent by the machine that was actually capturing the traffic, then it would show up in the capture as being a 55-byte packet, the 64-byte minimum size nonwithstanding.

ARP packets also typically have less than 46 bytes of ARP message - if frames 1 and 3 have 28-byte ARP messages, and were sent by the machine that was actually capturing the traffic, then they would show up in the capture as being 42-byte packets, the 64-bit minimum size again nonwithstanding.

permanent link

answered 10 Dec '14, 18:15

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×26
×7
×6

question asked: 10 Dec '14, 13:33

question was seen: 10,010 times

last updated: 10 Dec '14, 18:15

p​o​w​e​r​e​d by O​S​Q​A