[RK_2014_0923] the minimum length of the Ethernet II data packet captured by wireshark is 60, and wireshark

[RK_2014_0923] the minimum length of the Ethernet II data packet captured by wireshark is 60, and wireshark

1. For the minimum length of Ethernet data packets in wireshark, see the following text:

Packet format

A physical Ethernet packet will look like this:

Preamble	Destination MAC address	Source MAC address	Type/Length	User Data	Frame Check Sequence (FCS)
8	6	6	2	46-1500	4

As the Ethernet hardware filters the preamble, it is not given to Wireshark or any other application. most Ethernet interfaces also either don't supply the FCS to Wireshark or other applications, or aren't configured by their driver to do so; therefore, wireshark will typically only be given the green fields, although on some platforms, with some interfaces, the FCS will be supplied on incoming packets.

Allowed Packet Lengths

Ethernet packets with less than the minimum 64 bytes for an Ethernet packet (header + user data + FCS) are padded to 64 bytes, which means that if there's less than 64-(14 + 4) = 46 bytes of user data, extra padding data is added to the packet.

[NOTE 1] in wireshark, the captured ARP packet length is usually 42 bytes, sometimes 60 bytes.

This length depends on the ARP packet encoding method of the operating system that sends the ARP Request. [Do you want to add 18 0x00 padding entries at the end of the ARP packet]

[NOTE 2] some TCP or UDP data packets may have a length of less than 60 bytes.

Ii. Original article website [published on]

Http://www.cnblogs.com/tom-and-jerry/p/3988109.html

 

[End]

When wireshark captures packets, the packet length is mostly between 40 and 79. Why?

When some machines run normally, it is estimated that they are not doing anything. A large package appears when you open a webpage.
If you are surfing the Internet, watching dishes or chatting, the package is small, that is, the network adapter you selected for the packet capture is incorrect, and the network adapter you are using is not selected. Switch to the network card in use.

How does wireshark capture packets from other computers?

There are several ways to capture others' data packets. The first is that the vswitch you use with others has the mirror port function, so that you can mirror any one of the Data ports on the vswitch, then you plug in the root network cable on the mirror port to connect to your network card, you can capture other people's data; second, switch your LAN to a hub, in this way, all the data packets are sent out. That is to say, no matter which data packet is sent, it will pass through every computer on the hub. As long as you set the NIC to the mixed mode, you can catch others' packets; third, use MAC address spoofing to send ARP packets in the LAN so that other computers may mistakenly think that you are a gateway. In this way, other computers will send their packets to you, you can capture their packages. However, if you use this method, it is recommended that you write a program by yourself. Currently, many unscrupulous tools intercept others' data requests and do not forward them, it is best to forward it so that other computers won't find that you are doing MAC spoofing. Fourth, if you are sharing an ADSL cat to access the Internet, you can also install two NICs on your computer, one of which is connected to the cat. , One to connect to the switch, and then share the NIC connected to the cat. Here, the IP address of the NIC connected to the cat is set to 192.168.1.1, so that the NIC is used as the gateway, and other computers access the Internet through the NIC, therefore, you can easily capture data packets from other computers on this network card. The above four methods are only discussed here as technical research.