I've started to experiment recently with Version 0.99.6a (SVN Rev 22276) and
WinPcap version 4.0.1 which was the recommended version when I installed
Wireshark. As far as I'm aware, ethernet frames should be between 64 and 1518
bytes long and, if the data section is less than 46 bytes, padding should be
added to make up the minimum length. Further, I believe that this minimum
length is something to do with collisions.
I looked at some traffic on my network and saw frames having only eth:arp
protocols with only 42 bytes (I counted very carefully and it's 42 decimal,
rather than 42 hex). I collected traffic following ping -l 1 192.168.0.1 and
that had eth:ip:icmp:data in the "Protocols in frame" area. The size of the
frame was reported as "43 bytes on wire, 43 bytes captured". It appears that
my system is ignoring the padding. I saw a video from Wireshark University
which dealt with rogue padding leaking potentially confidential data and the
clip showed ARP traffic which *did* have the correct amount of padding to fill
the ethernet frame. I don't know what version of Wireshark was used. I have
seen such "short" frames with POP traffic (when not actually downloading any
mail, just interrogating the server to see if there's any mail present). When
I capture HTTP traffic, the frame length is >=350.
I'm confused. Why am I not seeing padding? Is there a setting somewhere that
says "ignore padding"? If so, I've not been able to find it. Is there
something about my system (laptop connected via wireless to an ADSL router, XP
Pro SP2 fully patched) which is conflicting with Wireshark? Is this regarded
as a "bug" or a "feature"? My concern is "if I see this beheviour that I
didn't expect nor can I understand, is there anything else happening which may
render my captured data inaccurate?".
Thanks for your time.
_________________________________________________________________
Celeb spotting – Play CelebMashup and win cool prizes
https://www.celebmashup.com
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
