This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture length with 60 bytes

0

Hi,

I have, on my hp switch log with : "A device on port 24 is transmitting packets shorter than 64 bytes or longer than 1518 bytes (longer than 1522 bytes if tagged), with valid CRCs"

I capture the traffic with monitoring the port in default and a lot of packets have a length of 60 bytes, can i conclude that the equipement connected to my procurve send wrong packet ?

Thanks for the reponse

Best regards

asked 05 Dec '11, 07:26

networkmanager's gravatar image

networkmanager
1112
accept rate: 0%

edited 05 Dec '11, 07:29


2 Answers:

2

No, because Wireshark will not capture the FCS (Frame Check Sequence), which is 4 bytes, so actually you have to add 4 bytes in mind to each frame you capture. So each 64 byte packet on the wire is displayed as 60 bytes in the capture file - unless you have a special capture device that will capture the FCS as well, but those are usually special capture devices.

By the way, packets that are too long or too short will be dropped by the switch on reception, so you won't even see it on your monitoring port, because it doesn't get there.

Maybe you have a device with Jumbo Frames enabled that will result in messages like that; otherwise it will be difficult to find out what is causing this message. You'd need to access the link in question (port 24 as it seems) with a Hub or TAP and a capture device that can record broken frames, which rules out any standard PC NIC - because a "normal" NIC will also drop broken frames, so Wireshark won't see it even if it was there.

answered 05 Dec '11, 07:34

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

1

No, the reason that you see 60 bytes frames in Wireshark is because the NIC verifies the frame-check-sequence (FCS, which HP denotes as CRC) and strips it before Wireshark gets the packets (from libpcap/winpcap).

I suspect that the only way to see which frames are actually to short or to long, you will need to insert a TAP between port 24 of the switch and the system(s) that are connected to it. As I suspect that the HP switch drops the frames which are too short or too long.

answered 05 Dec '11, 07:36

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%