Re: captured length > actual length

[Sake Blok <sake () euronet nl>]

On 2 feb 2011, at 14:24, Andrej van der Zee wrote:

> I am looking at a packet in Wireshark with:
>
> * data link layer length 14 bytes
> * total IP length of 44 bytes
> => TOTAL = 58 bytes
>
> But, the captured bytes show 60. I was wondering where the extra 2
> bytes come from?

As the minimum length of an ethernet packet is 64 bytes (historically needed to properly do collision detection), 
packets smaller than 64 bytes need to be padded up to 64 bytes. Please note that most NICs already strip the FCS of 4 
bytes at the end of the packet before handing the packet over to the driver, hence the 60 bytes and not 64 bytes.

In case you wonder why some packets in Wireshark do show up as smaller than 60 bytes, that happens when the packet is 
captured on the sending system for outgoing packets as the padding is done on the NIC, so (lib|win)pcap does not see 
the padding in that case.

Cheers,


Sake
 
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe