> -----Original Message-----
> From: Rob Henningsgard [mailto:[EMAIL PROTECTED]
> Sent: lunedi 15 novembre 2004 15.22
> To: [EMAIL PROTECTED]
> Subject: Re: [WinPcap-users] Comparing packet lengths and data transfer
>
>
> Hi Cary,
>
> <<WinPCap returns 47 bytes compared to EtherPeeks 64 bytes>>
>
> I ran into this when I was first learning about WinPCap. Turns out
> that for packets transmitted from the machine on which you're running
> WinPCap, the padding bytes needed to bring packets up to the minimum
> Ethernet frame of sixty bytes (less the hardware-generated 4-byte CRC)
> are not logged. So, for example, if you run WinPCap and try doing a
> ping from the machine on which you're running WinPCap, the captured ARP
> request packets will show up in Ethereal as being 42 bytes long. Go
> to another machine on the same network and try a ping, and the captured
> ARP request packets will show up as being 60 bytes long.
>
> Although I'm not intimately acquainted with the innards of WinPCap,
> I've been told this effect is caused by the layer at which the
> NDIS miniport driver intercepts the Ethernet packet sending calls.
I confirm.
fulvio
==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/[email protected]/
To unsubscribe use
mailto: [EMAIL PROTECTED]
==================================================================
