Re: Ethernet padding in tcpdump captures?

[Guy Harris <guy () alum mit edu>]

On Nov 4, 2019, at 6:30 AM, Andreas Sikkema <h323 () ramdyne nl> wrote:

> I have this weird problem filtering out empty UDP messages on my (Linux) firewall and in the captures I noticed 
> something I haven't seen before. 
>
> If I capture the traffic using tcpdump and open the files using Wireshark, I see Ethernet padding on the messages the 
> firewall doesn't appear to match. 
>
> Since the UDP messages are empty they are below the 64bytes minimum Ethernet length so padding is to be expected on 
> the wire, but I have never before seen Ethernet padding in captures made on PC hardware running Linux. Is this common?

Unless Linux is removing the padding before the packet gets to a PF_PACKET socket, I would expect to see padding for 
short Ethernet packets in captures on Linux, at least if not done on the "any" device.  For *outgoing* packets, you 
probably won't see the padding, but for *incoming* packets, I'd expect to see the padding on all OSes.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe