Wireshark-users: Re: [Wireshark-users] Nettl HP-UX

From: Kevin Cullimore <kcullimo@xxxxxxxxxx>
Date: Tue, 28 Jun 2011 18:00:41 -0400
On 6/28/2011 4:57 PM, Chris Maynard wrote:
Guy Harris<guy@...>  writes:

maxValidFrame is 1500.  (And, yes, this means that values of the length/type
field between 1501 and 1535
are, apparently, illegal.)
So how should Wireshark handle such invalid frames?  As a simple test, I
manually modified an IEEE 802.3 Ethernet packet and changed its length from 38
bytes (with 8 bytes of trailer) to 1501 bytes.  Wireshark displayed it as an
Ethernet II frame of "Type: unknown (0x05dd)" and payload of 46 bytes.  But if
1501-1535 are invalid, maybe at the very least an Expert Info should be added to
report it?
At the very least, it would prove extremely useful if Wireshark could distinguish between legitimate 802.1q frames and packets that contain too many bytes without a sufficient excuse.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe