Ask Your Question

Revision history [back]

Possibly. There are a couple of ways you can try to determine if a trace file was captured on one of the endpoints in the trace:

  1. Look for frames smaller than 60 bytes. The minimum Ethernet frame size is 60 bytes, plus a four-byte frame check sequence, for a total of 64 bytes. If a frame is smaller than 60 bytes, then padding bytes will be added to bring it up to 60 bytes then the four-byte frame check sequence will be appended. When Wireshark sees an outgoing frame, the four-byte frame check sequence hasn't been added yet, and when Wireshark sees an incoming frame, the frame check sequence has already been stripped off, (at least on the Windows systems that I'm familiar with; some systems do pass the frame check sequence to Wireshark). So the smallest Ethernet frame that Wireshark should see is 60 bytes (or 64 bytes if the checksum is present). If you see a frame smaller than 60 bytes, then it was below the minimum Ethernet frame size and the padding had not yet been added when Wireshark saw the frame, so the system that transmitted that frame is where the packets were captured. In this case, all the undersized frames will be from one host. This can easily be done with a quick display filter:

    frame.len < 60

Or, for a more sophisticated filter that accounts for whether the frame check sequence is present or not:

(eth.fcs && frame.len < 64) || (!eth.fcs && frame.len < 60)
  1. Turn on IP, TCP, UDP, and Ethernet checksum validation and look for packets with bad checksums. Almost all modern NICs do checksum offloading, which means that the checksum is calculated and applied by the NIC after Wireshark sees an outgoing frame. If you see bad checksums only on packets transmitted by one host, then that is probably the host where the data was captured. The checksums are good when the frames are transmitted on the wire. If the checksums were actually bad, then the packets with bad checksums would have been retransmitted or the communication would fail. So if you see bad checksums from one host only with checksum validation on, the packets were probably captured on that host.

Possibly. There are a couple of ways you can try to determine if a trace file was captured on one of the endpoints in the trace:

  1. Look for frames smaller than 60 bytes. The minimum Ethernet frame size is 60 bytes, plus a four-byte frame check sequence, for a total of 64 bytes. If a frame is smaller than 60 bytes, then padding bytes will be added to bring it up to 60 bytes then the four-byte frame check sequence will be appended. When Wireshark sees an outgoing frame, the four-byte frame check sequence hasn't been added yet, and when Wireshark sees an incoming frame, the frame check sequence has already been stripped off, (at least on the Windows systems that I'm familiar with; some systems do pass the frame check sequence to Wireshark). So the smallest Ethernet frame that Wireshark should see is 60 bytes (or 64 bytes if the checksum is present). If you see a frame smaller than 60 bytes, then it was below the minimum Ethernet frame size and the padding had not yet been added when Wireshark saw the frame, so the system that transmitted that frame is where the packets were captured. In this case, all the undersized frames will be from one host. This can easily be done with a quick display filter:

    filter:

    frame.len < 60

Or, for a more sophisticated filter that accounts for whether the frame check sequence is present or not:

(eth.fcs && frame.len < 64) || (!eth.fcs && frame.len < 60) 60)

  1. Turn on IP, TCP, UDP, and Ethernet checksum validation and look for packets with bad checksums. Almost all modern NICs do checksum offloading, which means that the checksum is calculated and applied by the NIC after Wireshark sees an outgoing frame. If you see bad checksums only on packets transmitted by one host, then that is probably the host where the data was captured. The checksums are good when the frames are transmitted on the wire. If the checksums were actually bad, then the packets with bad checksums would have been retransmitted or the communication would fail. So if you see bad checksums from one host only with checksum validation on, the packets were probably captured on that host.