Wireshark-users: Re: [Wireshark-users] Ethernet FCS Trailer

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Feb 2011 10:17:11 -0700
On Tue, Feb 22, 2011 at 03:49:31AM -0800, Abhijeet wrote:

> I am trying to understand the Ethernet FCS trailer, when i do a packet 
> capture on the local LAN i never see FCS trailer appended to Ethernet 
> Frame. Can some shed more light on this behavior is this something 
> expected because we no longer attached FCS or it is stripped of hence 
> not see.

When the Ethernet NIC receives a frame on the wire, it checks the 4 byte 
Frame Check Sequence (FCS/CRC) at the end of the frame.  If it fails the 
check, the frame is discarded.  If it passes, it is almost always 
stripped and then the remaining portion of the frame is sent to the 
computer/operating system/Wireshark.

> Further i have a sample capture which shows FCS in Ethernet frames 

Wireshark uses some best guesses to determine if it's a checksum or 
other trailer.

> also the packet is recognized as Shim6 header.

Wireshark is coded to believe IP protocol #61 is a "SHIM6 Header" 
although it has no dissector for it.  According to the IANA, IP protocol 
#61 is "any host internal protocol" as shown below:

  http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

> I am attaching the capture for someone to have a look at it and can 
> someone say weather this is valid packet.

Valid in what sense?