Wireshark-users: Re: [Wireshark-users] Help on Ethernet Size

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 6 Mar 2007 18:06:56 -0800
(the -request address for a mailing list is for requests to be added to or removed from a mailing list; it is not for messages sent to the list itself)

On Mar 6, 2007, at 5:36 PM, ARAMBULO, Norman R. wrote:
Is the ethernet size always equal to 14 bytes?

The lowest-layer Ethernet header is always 14-bytes long - 6 bytes of destination address, 6 bytes of source address, and 2 bytes of type/ length field. If the type/length field is > 1500 (or some number close to that - I forget the exact number, and the 802.3 spec has a range which is neither a valid type value nor a valid length value), it's a type field, and the value in it is the protocol running atop Ethernet (for example, hex 800 for IPv4). If it's 1500 or less, it's a length field, and the Ethernet header is supposed to be followed by an IEEE 802.2 header (although Novell had a scheme in which it was immediately followed by an IPX header).
and based on wireshark verbose is the frame part of the IP header?

What do you mean by "the frame"?

The packet details pane (by default, the bottommost pane) has, for an IPv4-over-Ethernet packet, a "Frame" protocol at the top, followed by an "Ethernet II" protocol, followed by an "IP" protocol.

"Frame" is not part of the packet data; it displays "metadata" such as the time stamp of the packet (which is *approximately* the time the packet arrived at the host that captured it), the total length of the packet data, and the number of bytes of packet data that were captured. The "Ethernet II" protocol has the Ethernet header (14 bytes), and the "IP" protocol has the IPv4 header.

Nothing in the "Frame" protocol comes from the packet data, so, in particular, it doesn't come from the IP header.
Does wireshark insert = Protocols in frame: eth:ip:tcp:data or its is part of the IP Header.

Wireshark inserts that.  It is *NOT* part of any packet data.