On Nov 4, 2019, at 6:30 AM, Andreas Sikkema <h323@xxxxxxxxxx> wrote:
> I have this weird problem filtering out empty UDP messages on my (Linux) firewall and in the captures I noticed something I haven't seen before.
>
> If I capture the traffic using tcpdump and open the files using Wireshark, I see Ethernet padding on the messages the firewall doesn't appear to match.
>
> Since the UDP messages are empty they are below the 64bytes minimum Ethernet length so padding is to be expected on the wire, but I have never before seen Ethernet padding in captures made on PC hardware running Linux. Is this common?
Unless Linux is removing the padding before the packet gets to a PF_PACKET socket, I would expect to see padding for short Ethernet packets in captures on Linux, at least if not done on the "any" device. For *outgoing* packets, you probably won't see the padding, but for *incoming* packets, I'd expect to see the padding on all OSes.