1 | initial version |
Possibly. There are a couple of ways you can try to determine if a trace file was captured on one of the endpoints in the trace:
Look for frames smaller than 60 bytes. The minimum Ethernet frame size is 60 bytes, plus a four-byte frame check sequence, for a total of 64 bytes. If a frame is smaller than 60 bytes, then padding bytes will be added to bring it up to 60 bytes then the four-byte frame check sequence will be appended. When Wireshark sees an outgoing frame, the four-byte frame check sequence hasn't been added yet, and when Wireshark sees an incoming frame, the frame check sequence has already been stripped off, (at least on the Windows systems that I'm familiar with; some systems do pass the frame check sequence to Wireshark). So the smallest Ethernet frame that Wireshark should see is 60 bytes (or 64 bytes if the checksum is present). If you see a frame smaller than 60 bytes, then it was below the minimum Ethernet frame size and the padding had not yet been added when Wireshark saw the frame, so the system that transmitted that frame is where the packets were captured. In this case, all the undersized frames will be from one host. This can easily be done with a quick display filter:
frame.len < 60
Or, for a more sophisticated filter that accounts for whether the frame check sequence is present or not:
(eth.fcs && frame.len < 64) || (!eth.fcs && frame.len < 60)
2 | No.2 Revision |
Possibly. There are a couple of ways you can try to determine if a trace file was captured on one of the endpoints in the trace:
Look for frames smaller than 60 bytes. The minimum Ethernet frame size is 60 bytes, plus a four-byte frame check sequence, for a total of 64 bytes. If a frame is smaller than 60 bytes, then padding bytes will be added to bring it up to 60 bytes then the four-byte frame check sequence will be appended. When Wireshark sees an outgoing frame, the four-byte frame check sequence hasn't been added yet, and when Wireshark sees an incoming frame, the frame check sequence has already been stripped off, (at least on the Windows systems that I'm familiar with; some systems do pass the frame check sequence to Wireshark). So the smallest Ethernet frame that Wireshark should see is 60 bytes (or 64 bytes if the checksum is present). If you see a frame smaller than 60 bytes, then it was below the minimum Ethernet frame size and the padding had not yet been added when Wireshark saw the frame, so the system that transmitted that frame is where the packets were captured. In this case, all the undersized frames will be from one host. This can easily be done with a quick display filter:
filter:
frame.len < 60
Or, for a more sophisticated filter that accounts for whether the frame check sequence is present or not:
(eth.fcs && frame.len < 64) || (!eth.fcs && frame.len < 60)
60)