Wireshark mailing list archives
Re: Ethernet padding in tcpdump captures?
From: Guy Harris <guy () alum mit edu>
Date: Mon, 4 Nov 2019 10:34:52 -0800
On Nov 4, 2019, at 6:30 AM, Andreas Sikkema <h323 () ramdyne nl> wrote:
I have this weird problem filtering out empty UDP messages on my (Linux) firewall and in the captures I noticed something I haven't seen before. If I capture the traffic using tcpdump and open the files using Wireshark, I see Ethernet padding on the messages the firewall doesn't appear to match. Since the UDP messages are empty they are below the 64bytes minimum Ethernet length so padding is to be expected on the wire, but I have never before seen Ethernet padding in captures made on PC hardware running Linux. Is this common?
Unless Linux is removing the padding before the packet gets to a PF_PACKET socket, I would expect to see padding for short Ethernet packets in captures on Linux, at least if not done on the "any" device. For *outgoing* packets, you probably won't see the padding, but for *incoming* packets, I'd expect to see the padding on all OSes. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Ethernet padding in tcpdump captures? Andreas Sikkema (Nov 04)
- Re: Ethernet padding in tcpdump captures? Jaap Keuter (Nov 04)
- Re: Ethernet padding in tcpdump captures? Andreas Sikkema (Nov 04)
- Re: Ethernet padding in tcpdump captures? Guy Harris (Nov 04)
- Re: Ethernet padding in tcpdump captures? Andreas Sikkema (Nov 05)
- Re: Ethernet padding in tcpdump captures? Jaap Keuter (Nov 04)