Ask Your Question
0

TCP ACK shows only 54 bytes in Wireshark

asked 2019-08-23 23:04:42 +0000

Matt Davis gravatar image

updated 2019-08-23 23:30:13 +0000

SYN-bit gravatar image

My understanding is that a minimum layer 2 Ethernet II frame has to be 64 bytes in length, which includes the 4-byte FCS. Since the FCS is not normally available to Wireshark, only 60 bytes are shown. Thus, in a TCP packet that has an empty payload, there are 6 padding bytes at the end of the frame that are highlighted along with the Ethernet II header. So,

  • 14-byte Ethernet II header
  • 20-byte IPv4 header
  • 20-byte TCP header
  • 6-byte padding

gives the total of 60 bytes.

In my testing, I'm running across a 54-byte packet that shows no padding bytes. It has the 14-byte Ethernet II header, the 20-byte IPv4 header, and the 20-byte TCP header for a total of 54 bytes. It is the ACK packet that follows the SYN and SYN,ACK handshake.

Is there an explanation as to why this packet is 54 bytes long and not padded out to 60 bytes? Is this a network setting of some kind?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-08-23 23:29:42 +0000

SYN-bit gravatar image

There is a very simple explanation for seeing frames shorter than 64 (60 without FCS) bytes. Those frames are sent by the system on which the packets are captured. The reason for the packets to be shorter is, as you already discovered, that the padding is not there. And this is because the padding is added by the NIC. As outgoing packets pass libpcap/winpcap/npcap on the way to the NIC, the padding has not taken place yet, resulting in short frames.

This is one of the reasons why it is better to use a TAP or SPAN-port to capture the packets. But please make sure all offloading features of the NIC are turned off to make sure it passes the packets as they are seen on the network.

edit flag offensive delete link more

Comments

That thought actually occurred to me on the drive home. lol.

Matt Davis gravatar imageMatt Davis ( 2019-08-29 16:45:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-08-23 23:04:42 +0000

Seen: 43 times

Last updated: Aug 23