An ethernet frame (packet 45 and 600) I have recorded in a packet is of length 42 bytes. How can this frame of length 42 bytes be recorded in the packet trace without padding? If you look at frame 2 it has padding like many others. Why does it not have padding like packet 2 to increase its length field to 64.
Cant upload a picture or download as I do not have enough points.
The padding of Ethernet frames is done on the NIC of the system. The capturing of packets is done somewhere in the kernel of the OS. So all outgoing frames from the system on which you are capturing will pass the capture process (npcap/libpcap) before they reach the NIC where they are padded to 64 bytes.
This also happens with checksums when you have checksum offloading enabled, then all outgoing frames will have a bad checksum at the IP/TCP/UDP layer, as they are captured before the NIC can calculate and populate the checksum fields.
https://drive.google.com/file/d/1Mi9p...
Try this and see if this works
But if that was the case it would be that none of them would have any padding. However it seems that only a select number of ones have padding. And the one with the lowest length has no padding.
But if that was the case it would be that none of them would have any padding.
No, it wouldn't. It would be that packets sent by the machine running tcpdump/Wireshark/whatever sniffer you're using would have no padding. Packets received by that machine would have padding.
Comments
You can post the capture on a public share, e.g. Google Drive, DropBox etc. and then put a link to it back here.
Why did you delete your previous question?
Sorry accident I was experimenting with the stuff on here as I am new
https://drive.google.com/file/d/1Pkct...
Your file share is set to private, so it can't be opened ;-)
Thanks for that try this one https://drive.google.com/file/d/1Mi9p...