Wireshark-users: Re: [Wireshark-users] captured length > actual length

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 2 Feb 2011 15:03:36 +0100
On 2 feb 2011, at 14:24, Andrej van der Zee wrote:

> I am looking at a packet in Wireshark with:
> 
> * data link layer length 14 bytes
> * total IP length of 44 bytes
> => TOTAL = 58 bytes
> 
> But, the captured bytes show 60. I was wondering where the extra 2
> bytes come from?

As the minimum length of an ethernet packet is 64 bytes (historically needed to properly do collision detection), packets smaller than 64 bytes need to be padded up to 64 bytes. Please note that most NICs already strip the FCS of 4 bytes at the end of the packet before handing the packet over to the driver, hence the 60 bytes and not 64 bytes.

In case you wonder why some packets in Wireshark do show up as smaller than 60 bytes, that happens when the packet is captured on the sending system for outgoing packets as the padding is done on the NIC, so (lib|win)pcap does not see the padding in that case.

Cheers,


Sake