Wireshark-users: Re: [Wireshark-users] Layer 2 FCS Capture

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 15 Nov 2006 19:32:09 -0800

On Nov 15, 2006, at 5:53 PM, Kim wrote:

I found out that Wireshark does not show or capture layer 2 FCS de'tail.

It does for me - but I'm running it on OS X, where the driver configures the Ethernet adapter I'm using to supply the FCS on received packets (it's not supplied on transmitted ones, as they're passed to the capture mechanism before they're transmitted, so the FCS, which is computed by the Ethernet adapter, isn't available).

I open Wireshark capture in EtherPeek NX and it shows that the FCS is invalid. However, when I used EtherPeek NX to capture the same packet, EtherPeek NX shows calculated. EtherPeek help states that "The Packet Decode window shows FCS bytes as Calculated when these bytes were not captured directly from the network."

Libpcap format (the native format for Wireshark) has no mechanism to indicate whether the FCS is present in the frame or not, so Etherpeek NX would have to use the same sort of heuristics Wireshark does to figure out whether the FCS is present or not; apparently, it doesn't.

My question is can Wireshark capture layer 2 FCS?

Yes - but not on operating systems with a name beginning with the same letter as Wireshark's name does. :-)

(Or, rather, not on a particular operating system with such a name, that name being "Windows". It also can't do it on some other OSes, and, on the OSes on which it can, whether it does capture it depends on the type of network adapter.

It's not a question of what Wireshark can do; it's a question of what

the packet capture mechanism used by libpcap, the library Wireshark uses to capture packets, can do;

	the driver for your network adapter can do.

Wireshark has no control over either of those.

BTW, it sounds as if Etherpeek NX can't capture it, either - probably because the capture mechanism it uses is built atop NDIS in a fashion similar to the way the capture mechanism Wireshark uses, namely WinPcap, is built atop NDIS. As far as I know, there's no way in Windows to ask an NDIS driver to supply the FCS on received packets.)