hi guys, I captured a ping to my default gateway with Wireshark. I'm now wondering about the "Length" field. From what I already know, the Preamble and FCS fields are not shown by Wireshark. So is this the REAL Frame length? I mean it includes all fields from Preamble to FCS included ? thank you for clarification ! Best Regards Adam asked 05 Aug '15, 06:25 adasko |
2 Answers:
No, the length field is displayed by Wireshark. As you stated, the Ethernet preamble is not displayed by Wireshark. Therefore, the length does not include the preamble. To confirm this, observe the Packet Details and Packet Bytes section in Wireshark. There are no Ethernet preamble bits shown in either. If you count the bits in the Packet Bytes section it will match the length field. answered 05 Aug '15, 06:36 Amato_C |
Wireshark is showing you the length of the Ethernet frame that is handed to it, which may or may not include the FCS. No capture hardware that I'm aware of saves the preamble or SFD bytes (if it did, it would probably require a new DLT), and most common capture hardware strips away the FCS so that Wireshark (or any packet analysis tool) never sees it. Some capture hardware does retain the FCS though, in which case it could be present in the capture file, and if it is, the Ethernet frame length will reflect those bytes as well. answered 05 Aug '15, 08:16 cmaynard ♦♦ Actually, there are DLT's such as (05 Aug '15, 08:20) cmaynard ♦♦ ok, so i cannot understand one thing. when i run ping it sends 32 bytes "The default is 32. The maximum size is 65,527." So Wireshark is showing the length as 74 bytes. So if I add the Preamble 8 bytes / FCS 4 bytes it makes = 86 bytes. So even if the smallest Ethernet II Frame is 64 bytes (86-64 equals to 22 bytes). So what about the 32 bytes that the ping is sending or am I looking at it in a wrong way ? (06 Aug '15, 01:48) adasko 1 or am I looking at it in a wrong way ? Yes. The 74 bytes is comprised of the following:
(06 Aug '15, 07:49) cmaynard ♦♦ ok now i see. So 14 bytes for the Ethernet Header (Destination + Source + Type Filed) and 60 bytes which is the actual Layer 3 PDU encapsulated in the Ethernet Frame, correct ? Is it technically correct to say that the ICMP message / request is ENCAPSULATED within the IPv4 packet ? (07 Aug '15, 02:14) adasko |
Thank you! and what about the FCS field? Is it included ? Or is the Wireshark "Length" filed total length of the Ethernet Frame minus Preamble (8 bytes) and FCS (4 bytes )?
Neither the Preamble or FCS is included.