I've started to experiment recently with Version 0.99.6a (SVN Rev 22276) and WinPcap version 4.0.1 which was the recommended version when I installed Wireshark. As far as I'm aware, ethernet frames should be between 64 and 1518 bytes long and, if the data section is less than 46 bytes, padding should be added to make up the minimum length. Further, I believe that this minimum length is something to do with collisions.
I looked at some traffic on my network and saw frames having only eth:arp protocols with only 42 bytes (I counted very carefully and it's 42 decimal, rather than 42 hex). I collected traffic following ping -l 1 192.168.0.1 and that had eth:ip:icmp:data in the "Protocols in frame" area. The size of the frame was reported as "43 bytes on wire, 43 bytes captured". It appears that my system is ignoring the padding. I saw a video from Wireshark University which dealt with rogue padding leaking potentially confidential data and the clip showed ARP traffic which *did* have the correct amount of padding to fill the ethernet frame. I don't know what version of Wireshark was used. I have seen such "short" frames with POP traffic (when not actually downloading any mail, just interrogating the server to see if there's any mail present). When I capture HTTP traffic, the frame length is >=350.
I'm confused. Why am I not seeing padding? Is there a setting somewhere that says "ignore padding"? If so, I've not been able to find it. Is there something about my system (laptop connected via wireless to an ADSL router, XP Pro SP2 fully patched) which is conflicting with Wireshark? Is this regarded as a "bug" or a "feature"? My concern is "if I see this beheviour that I didn't expect nor can I understand, is there anything else happening which may render my captured data inaccurate?".
Thanks for your time.
Get free emoticon packs and customisation from Windows Live. Pimp My Live!
|