Wireshark-bugs: [Wireshark-bugs] [Bug 2726] Ethernet Length field not recognized ... Tshark and

Date: Fri, 18 Jul 2008 12:41:35 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2726





--- Comment #1 from Guy Harris <guy@xxxxxxxxxxxx>  2008-07-18 12:41:34 PDT ---
Not all Ethernet packets *have* a length field.  The Ethernet header has a
6-octet destination address, a 6-octet source address, and a 2-octet
type/length field.  If the type/length field has a value <= 1500, it's a length
field; if it has a value >= 1536, it's a type field.  (It's presumably invalid
if it has a value in the range 1501 through 1535.)

Almost all Ethernet packets have a type field; the main exceptions I know of
are:

    NetBEUI Framing protocol packets (rarely seen these days - the main
NetBIOS-based application is SMB, and it usually uses NetBIOS-over-TCP or
direct SMB-over-TCP);

    NetWare packets with non-"Ethernet II" encapsulation;

    possibly some OSI and SNA protocols;

    various protocols that don't have an Ethernet type but *do* have an
OUI/protocol ID pair and that thus require a SNAP header.

It might be that you have so little traffic on your network with a length field
that "eth.len" matches few if any packets.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.