I am working with software that includes the Ethernet Header size (14 bytes) in the IPv4 Total Length value. I have read the IP RFC 791 and it should not be part of the IP Total Length, but I noticed that Wireshark is not upset with the message. Does anyone know why? asked 10 Mar '15, 09:12  blogzit |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Not only should the Ethernet header not be included in the IP Total Length, but the entire frame should be 18 bytes larger than the IP packet, not 14. Many systems strip off the Frame Check Sequence before Wireshark sees the packet, so we only see 14 bytes of Ethernet overhead, but the entire frame as transmitted on the wire is 18 bytes larger than the IP portion if both the Ethernet header and trailer are included.
Can you possibly upload some packets illustrating this, if they don't include confidential information? You can upload to https://appliance.cloudshark.org/ and then post the link here.
And the obvious conclusion about why Wireshark is not upset would be that Wireshark is simply displaying the Total Length field, but not doing error checking on that field.
Thank you for answering my question. Unfortunately the packet are proprietary.
then it's obviously hard to help you.
what does that mean?