Ask Your Question
0

What is the trailer in the Ethernet frame and why is the FCS incorrect?

asked 2019-04-29 01:32:33 +0000

Rox27 gravatar image

image description

I captured an ARP Reply, there are both padding and trailer in the Ethernet frame.

As far as I know, padding is to make the frame length reach at least 64B.

But, what is the trailer used for?

And Wireshark does not display FCS in other frames,why is the FCS incorrect in this frame?

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
2

answered 2019-04-29 14:33:36 +0000

SYN-bit gravatar image

Since the Ethernet header does not include a length field, Wireshark needs to figure out the purpose of the data on its own. For "normal" frames it would be one of the following formats:

[ETH][PAYLOAD][FCS]
[ETH][PAYLOAD][PADDING][FCS] (when the frame would be less than 64 bytes on the wire)

By dissecting the "payload", Wireshark knows how much data was actually upper protocol data, so the rest should be part of the ethernet layer. It will then use some heuristics to decide what part of that data was padding and whether there was a FCS (which will be stripped by most NIC's before Wireshark gets to see the packets), meaning Wireshark sees:

[ETH][PAYLOAD]
[ETH][PAYLOAD][PADDING] (when the frame would be less than 64 bytes on the wire)

Now when there is extra data that can't be padding, Wireshark will show it as "trailer" data. There are systems that add stuff to the ethernet packet as trailer. For instance, packet brokers often add timestamps and port information into an ethernet trailer. F5 loadbalancers also add trailers to provide information on the Virtual being used for the traffic for instance.

In your case, there is no dissector dissecting the trailer bytes into some protocol headers, so all Wireshark can do is display it as a (general) trailer. It then also (incorrectly) assumes that the last 4 bytes are the FCS and so it tries to verify it's correctness. However, mot likely, the real FCS has already been stripped by the NIC.

You can fiddle with the "Ethernet" protocol preferences to make Wireshark not assume there was a FCS and just display the trailer data as "trailer".

The interesting question is "Where and how was this capture taken?". As some system must have included the extra trailer for some reason. Do you know if there was a loadbalancer or packet broker involved?

edit flag offensive delete link more

Comments

Thanks for your reply, I have upgraded to the latest version of Wireshark, and there is still no dissector that can explain what the trailer is. I just connected to a campus network, I am sorry that I don't know if there is a load balancer or a packet broker.

Rox27 gravatar imageRox27 ( 2019-04-30 03:02:29 +0000 )edit
0

answered 2019-05-01 02:49:05 +0000

For the FCS, you can set on the windows driver configuration whether the FCS will be calculated by the NIC at HW level or not (I.e on CPU). One of these option will make the FCS error disappear.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-04-29 01:32:33 +0000

Seen: 21,164 times

Last updated: May 01 '19