On Jun 28, 2011, at 1:57 PM, Chris Maynard wrote:
> Guy Harris <guy@...> writes:
>
>> maxValidFrame is 1500. (And, yes, this means that values of the length/type
> field between 1501 and 1535
>> are, apparently, illegal.)
>
> So how should Wireshark handle such invalid frames?
Good question.
> As a simple test, I
> manually modified an IEEE 802.3 Ethernet packet and changed its length from 38
> bytes (with 8 bytes of trailer) to 1501 bytes. Wireshark displayed it as an
> Ethernet II frame of "Type: unknown (0x05dd)" and payload of 46 bytes.
Yes, the code currently treats all type/length field values < IEEE_802_3_MAX_LEN=1500 as type field values.
> But if 1501-1535 are invalid, maybe at the very least an Expert Info should be added to
> report it?
Yes.
My copy of version 1 of the DEC/Intel/Xerox Ethernet spec doesn't say anything about valid type field values, unless I missed it. Perhaps version 2 does; in any case, perhaps we should dissect frames with type/length fields in that range as invalid rather than as having a type *or* length field.