Ask Your Question

Ethernet Frame II - outgoing frames don't show padding

asked 2021-03-16 17:03:13 +0000

AG111 gravatar image

updated 2021-03-17 17:44:10 +0000

JeffMorriss gravatar image

An ethernet frame (packet 45 and 600) I have recorded in a packet is of length 42 bytes. How can this frame of length 42 bytes be recorded in the packet trace without padding? If you look at frame 2 it has padding like many others. Why does it not have padding like packet 2 to increase its length field to 64.

Cant upload a picture or download as I do not have enough points.

edit retag flag offensive close merge delete


You can post the capture on a public share, e.g. Google Drive, DropBox etc. and then put a link to it back here.

Why did you delete your previous question?

grahamb gravatar imagegrahamb ( 2021-03-16 17:05:18 +0000 )edit

Sorry accident I was experimenting with the stuff on here as I am new

AG111 gravatar imageAG111 ( 2021-03-16 17:21:39 +0000 )edit

Your file share is set to private, so it can't be opened ;-)

SYN-bit gravatar imageSYN-bit ( 2021-03-16 18:39:49 +0000 )edit

Thanks for that try this one

AG111 gravatar imageAG111 ( 2021-03-16 18:53:27 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2021-03-16 18:39:14 +0000

SYN-bit gravatar image

The padding of Ethernet frames is done on the NIC of the system. The capturing of packets is done somewhere in the kernel of the OS. So all outgoing frames from the system on which you are capturing will pass the capture process (npcap/libpcap) before they reach the NIC where they are padded to 64 bytes.

This also happens with checksums when you have checksum offloading enabled, then all outgoing frames will have a bad checksum at the IP/TCP/UDP layer, as they are captured before the NIC can calculate and populate the checksum fields.

edit flag offensive delete link more


Try this and see if this works

AG111 gravatar imageAG111 ( 2021-03-16 18:54:11 +0000 )edit

But if that was the case it would be that none of them would have any padding. However it seems that only a select number of ones have padding. And the one with the lowest length has no padding.

AG111 gravatar imageAG111 ( 2021-03-16 19:13:36 +0000 )edit

But if that was the case it would be that none of them would have any padding.

No, it wouldn't. It would be that packets sent by the machine running tcpdump/Wireshark/whatever sniffer you're using would have no padding. Packets received by that machine would have padding.

Guy Harris gravatar imageGuy Harris ( 2021-03-16 20:45:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-03-16 17:03:13 +0000

Seen: 58 times

Last updated: Mar 17