Wireshark-users: Re: [Wireshark-users] Nettl HP-UX
From: Chris Maynard <Chris.Maynard@xxxxxxxxx>
Date: Tue, 28 Jun 2011 20:57:06 +0000 (UTC)
Guy Harris <guy@...> writes:

> maxValidFrame is 1500.  (And, yes, this means that values of the length/type
field between 1501 and 1535
> are, apparently, illegal.)

So how should Wireshark handle such invalid frames?  As a simple test, I
manually modified an IEEE 802.3 Ethernet packet and changed its length from 38
bytes (with 8 bytes of trailer) to 1501 bytes.  Wireshark displayed it as an
Ethernet II frame of "Type: unknown (0x05dd)" and payload of 46 bytes.  But if
1501-1535 are invalid, maybe at the very least an Expert Info should be added to
report it?