This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

length field

0

hi guys,

I captured a ping to my default gateway with Wireshark. I'm now wondering about the "Length" field. From what I already know, the Preamble and FCS fields are not shown by Wireshark. So is this the REAL Frame length? I mean it includes all fields from Preamble to FCS included ?

alt text

thank you for clarification !

Best Regards

Adam

asked 05 Aug '15, 06:25

adasko's gravatar image

adasko
86343842
accept rate: 0%


2 Answers:

1

No, the length field is displayed by Wireshark. As you stated, the Ethernet preamble is not displayed by Wireshark. Therefore, the length does not include the preamble.

To confirm this, observe the Packet Details and Packet Bytes section in Wireshark. There are no Ethernet preamble bits shown in either. If you count the bits in the Packet Bytes section it will match the length field.

answered 05 Aug '15, 06:36

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Thank you! and what about the FCS field? Is it included ? Or is the Wireshark "Length" filed total length of the Ethernet Frame minus Preamble (8 bytes) and FCS (4 bytes )?

(05 Aug '15, 06:47) adasko

Neither the Preamble or FCS is included.

(05 Aug '15, 06:58) Amato_C

1

Wireshark is showing you the length of the Ethernet frame that is handed to it, which may or may not include the FCS. No capture hardware that I'm aware of saves the preamble or SFD bytes (if it did, it would probably require a new DLT), and most common capture hardware strips away the FCS so that Wireshark (or any packet analysis tool) never sees it. Some capture hardware does retain the FCS though, in which case it could be present in the capture file, and if it is, the Ethernet frame length will reflect those bytes as well.

answered 05 Aug '15, 08:16

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Actually, there are DLT's such as LINKTYPE_NETANALYZER_TRANSPARENT that do seem to include the preamble, SFD and FCS. See http://www.tcpdump.org/linktypes.html. But I'm guessing you're asking about LINKTYPE_ETHERNET.

(05 Aug '15, 08:20) cmaynard ♦♦

ok, so i cannot understand one thing. when i run ping it sends 32 bytes "The default is 32. The maximum size is 65,527." So Wireshark is showing the length as 74 bytes. So if I add the Preamble 8 bytes / FCS 4 bytes it makes = 86 bytes. So even if the smallest Ethernet II Frame is 64 bytes (86-64 equals to 22 bytes). So what about the 32 bytes that the ping is sending or am I looking at it in a wrong way ?

(06 Aug '15, 01:48) adasko
1

or am I looking at it in a wrong way ?

Yes. The 74 bytes is comprised of the following:

Ethernet header: 14 bytes
IP header (standard): 20 bytes
ICMP header: 8 bytes
ICMP payload: 32 bytes
(06 Aug '15, 07:49) cmaynard ♦♦

ok now i see. So 14 bytes for the Ethernet Header (Destination + Source + Type Filed) and 60 bytes which is the actual Layer 3 PDU encapsulated in the Ethernet Frame, correct ?

Is it technically correct to say that the ICMP message / request is ENCAPSULATED within the IPv4 packet ?

(07 Aug '15, 02:14) adasko