This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Vlan trailer on LLC-SNAP packet

0

Hi, When import wireshark LLC-SNAP packet, it recognizes an eight bytes trailer as a part of the Vlan Tag. I haven't read about this field and don't know its meaning, can you tell me where is it come from? and does the "length" (a part of the LLC - SNAP packet) filed has influence on it?

Thanks , Aya

asked 20 Jul '17, 02:09

aya%20dagan's gravatar image

aya dagan
6445
accept rate: 0%


One Answer:

0

This is the common issue of octets belogning to the same logical layer being scattered at different physical places in the packet. There is the Ethernet header, the Vlan header, and the higher layers (either encapsulated using LLC or directly, identified by Ethertype in the Vlan header). If the headers + payload occupy less bytes than the minimum required length of an Ethernet frame, the payload is followed by stuffing octets, which the Wireshark dissector shows as part of the VLAN layer (or Ethernet layer if VLAN layer is not used in that frame), although physically they are not directly there. If you draw open the packet bytes pane from the bottom of the window and click the Trailer: line in the dissection tree, you'll see the last bytes of the frame to be highlighted in the packet bytes pane.

This behaviour does not depend on whether the payload is identified using LLC or Ethertype.

answered 20 Jul '17, 03:56

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Hi , Thanks for you answer, but is the minimum packet size isn't 64 bytes? because my packet is 819 bytes, the user data is 731 bytes (payload) + 8 bytes TCP header + 20 bytes IPV4 header (=759 bytes) The Ethertype length filed is 789 , and I have 8 bytes trailer.

Am I missing something? because it looks my packet is larger than the minimum, packets size.

Thanks again Aya

(20 Jul '17, 05:27) aya dagan

Well, it is hard to guess what's going on from incomplete information. If you can publish an export of that single packet into a pcap file at cloudhark or any file sharing service, login-free, and edit your question with a link to it, you shall get better information.

(20 Jul '17, 07:56) sindy