On Nov 4, 2019, at 6:30 AM, Andreas Sikkema <h...@ramdyne.nl> wrote: > I have this weird problem filtering out empty UDP messages on my (Linux) > firewall and in the captures I noticed something I haven't seen before. > > If I capture the traffic using tcpdump and open the files using Wireshark, I > see Ethernet padding on the messages the firewall doesn't appear to match. > > Since the UDP messages are empty they are below the 64bytes minimum Ethernet > length so padding is to be expected on the wire, but I have never before seen > Ethernet padding in captures made on PC hardware running Linux. Is this > common?
Unless Linux is removing the padding before the packet gets to a PF_PACKET socket, I would expect to see padding for short Ethernet packets in captures on Linux, at least if not done on the "any" device. For *outgoing* packets, you probably won't see the padding, but for *incoming* packets, I'd expect to see the padding on all OSes. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
