Stewart, Damien wrote:
Yes I am aware that Ethereal can't see all of the packet when it's running
on a machine the packet is generated from. However, in this particular case,
when I noticed the discrepancy between ping request and ping replies,
Ethereal was monitoring a SPAN session on a Cisco router.
I.e., the machine running Ethereal was *not* the one sending the pings?
It's a minor issue, but it would be nice to know exactly in what situations
Ethereal will correctly report packet sizes
It will report what's handed to it by the packet capture mechanism.
That will be correct, in the sense that it will reflect the size of the
packet as received (which isn't necessarily the size of the packet as
sent - the hardware passing the packet along might change it) if the
adapter (which we, the Ethereal developers, don't control) and its
driver (which we don't control) and the capture code in the OS (+the
WinPcap driver on windows) (we don't control them, either) don't modify
the packet size.
Whether it will include the CRC or not depends on whether the
adapter+driver+capture mechanism include the CRC in the captured packet
(yup, that's another thing the Ethereal developers don't control).
All the platforms on which I've captured used supply the correct length
for received packets. I can't speak for the others.
