At 09:41 AM 7/7/2012, you wrote:
As a beginner, I am staring at a
lot of trace files to get up to speed. I am trying to learn the expected
sizes (min, max, etc.) of packets. I have read that the minimum size of
an Ethernet frame is 64 bytes, yet my trace files show many frames that
are 54 or 60 bytes long. I also see frames where zero-based padding (up
to 6 bytes worth) are added at the very end of the frame. These zeros are
attributed to (i.e., highlighted) the Ethernet II layer by Wireshark. But
I cannot determine a reason why the padding is occasionally used.
The minimum Ethernet frame size is 64 bytes. That includes a four-byte
frame check sequence (FCS). Wireshark usually sees outbound frames before
the FCS is added, and sees inbound frames after the FCS has been stripped
off, at least in Windows systems. Therefore, the minimum frame size when
the frame gets to Wireshark is 60 bytes. If the frame is smaller than the
minimum frame size, padding bytes must be added to bring the frame up to
the minimum size. In the case of inbound frames, the padding is added by
the sending system, so inbound frames should always be at least 60 bytes.
In the case of outbound frames, Wireshark sees the frame before the
padding is added and the frame is transmitted onto the wire, so these
will sometimes be less than 60 bytes.
You can use this to determine where the data was captured. If you're
looking at a trace file, and want to know if the capture took place on
one of the endpoints, and if so, which one, look for frames less than 60
bytes. The system sending these frames is the one where the data was
captured.
Jim
