Wireshark-users: Re: [Wireshark-users] Ethernet padding in tcpdump captures?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 4 Nov 2019 10:34:52 -0800
On Nov 4, 2019, at 6:30 AM, Andreas Sikkema <h323@xxxxxxxxxx> wrote:

> I have this weird problem filtering out empty UDP messages on my (Linux) firewall and in the captures I noticed something I haven't seen before. 
> 
> If I capture the traffic using tcpdump and open the files using Wireshark, I see Ethernet padding on the messages the firewall doesn't appear to match. 
> 
> Since the UDP messages are empty they are below the 64bytes minimum Ethernet length so padding is to be expected on the wire, but I have never before seen Ethernet padding in captures made on PC hardware running Linux. Is this common?

Unless Linux is removing the padding before the packet gets to a PF_PACKET socket, I would expect to see padding for short Ethernet packets in captures on Linux, at least if not done on the "any" device.  For *outgoing* packets, you probably won't see the padding, but for *incoming* packets, I'd expect to see the padding on all OSes.