Ethereal-users: Re: [Ethereal-users] Ping packet sizes

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 17 Oct 2005 20:23:08 -0700
Stewart, Damien wrote:
I setup another PC connected to the switch on one side of the link and created a SPAN session and run Ethereal. I then did a standard ping (this is on Windows BTW) from the other PC - This generates the expected 74 bytes (8 bytes preamble
You're not going to see the preamble in Ethereal, unless the adapter or its driver does something *REALLY* strange. 


+ 6 bytes DA + 6 bytes SA + 2 bytes Type


The standard 14-byte Ethernet header.


+ 20 bytes IP header


(If there are no IP options.)


+ 32 bytes ICMP payload,
That'd be 4 bytes of standard ICMP header, 4 bytes of identifier and sequence number, and 24 bytes of actual data.
If, however, there's 32 bytes of actual data in the ICMP ECHO (ping) packet, that's
6 bytes DA + 6 bytes SA + 2 bytes Type + 20 bytes IP header + 4 bytes ICMP header + 4 bytes identifier+sequence number + 32 bytes actual data.
The man page (c'mon, Microsoft, admit it - they're man pages) for XP's "ping" command: 

	http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ping.mspx

says
-l Size : Specifies the length, in bytes, of the Data field in the Echo Request messages sent. The default is 32. The maximum size is 65,527. 

so you do get 32 bytes of actual data by default.
I then proceded to reduce the ICMP payload using the "-l" (dash el) option to 1 byte.
So that'd be 6+6+2+20+4+4+1, if the payload is the "data" portion of the ICMP ECHO packet. That's 43 bytes.
The echo request packet size drop to 56 bytes yet the reply is 60 bytes! In the request ethernet frame, there is a padding of 13 bytes (so 8+6+6+2+13+20+1=56) - my question is: why 56 bytes?
Good question. Perhaps the driver, or NDIS, does some padding before handing outgoing packets up to NDIS listeners (such as WinPcap), but doesn't fully pad the packet to 60 bytes.
On at least some other systems (e.g., Mac OS X, but I suspect it's far from the only UN*X that works this way), the driver and the rest of the networking code does *no* padding before handing outgoing packets to the packet capture mechanism, so you really would see a 43-byte packet - as you said, for outgoing packets "Ethereal doesn't report packet sizes as seen by the network if its running on the same machine that's generating the traffic", so it shows only 43 bytes even though the packet was 60 bytes long when transmitted on the network.