On Nov 15, 2006, at 5:53 PM, Kim wrote:
I found out that Wireshark does not show or capture layer 2 FCS
de'tail.
It does for me - but I'm running it on OS X, where the driver
configures the Ethernet adapter I'm using to supply the FCS on
received packets (it's not supplied on transmitted ones, as they're
passed to the capture mechanism before they're transmitted, so the
FCS, which is computed by the Ethernet adapter, isn't available).
I open Wireshark capture in EtherPeek NX and it shows that the FCS
is invalid. However, when I used EtherPeek NX to capture the same
packet, EtherPeek NX shows calculated. EtherPeek help states that
"The Packet Decode window shows FCS bytes as Calculated when these
bytes were not captured directly from the network."
Libpcap format (the native format for Wireshark) has no mechanism to
indicate whether the FCS is present in the frame or not, so Etherpeek
NX would have to use the same sort of heuristics Wireshark does to
figure out whether the FCS is present or not; apparently, it doesn't.
My question is can Wireshark capture layer 2 FCS?
Yes - but not on operating systems with a name beginning with the same
letter as Wireshark's name does. :-)
(Or, rather, not on a particular operating system with such a name,
that name being "Windows". It also can't do it on some other OSes,
and, on the OSes on which it can, whether it does capture it depends
on the type of network adapter.
It's not a question of what Wireshark can do; it's a question of what
the packet capture mechanism used by libpcap, the library Wireshark
uses to capture packets, can do;
the driver for your network adapter can do.
Wireshark has no control over either of those.
BTW, it sounds as if Etherpeek NX can't capture it, either - probably
because the capture mechanism it uses is built atop NDIS in a fashion
similar to the way the capture mechanism Wireshark uses, namely
WinPcap, is built atop NDIS. As far as I know, there's no way in
Windows to ask an NDIS driver to supply the FCS on received packets.)
