Wireshark-users: Re: [Wireshark-users] Ethernet padding in tcpdump captures?
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Mon, 4 Nov 2019 15:12:05 +0000
Hi Andreas,

Can you clarify your capture setup a little more? What interface are you capturing on? What is the direction of the packet flow you’re looking at (incoming or outgoing)? Where’’s the firewall in this context? 

Jaap


> On 4 Nov 2019, at 14:30, Andreas Sikkema <h323@xxxxxxxxxx> wrote:
> 
> Hi,
> 
> I have this weird problem filtering out empty UDP messages on my (Linux) firewall and in the captures I noticed something I haven't seen before. 
> 
> If I capture the traffic using tcpdump and open the files using Wireshark, I see Ethernet padding on the messages the firewall doesn't appear to match. 
> 
> Since the UDP messages are empty they are below the 64bytes minimum Ethernet length so padding is to be expected on the wire, but I have never before seen Ethernet padding in captures made on PC hardware running Linux. Is this common?
> 
>