[Winpcap-users] FCS
Loris Degioanni
loris.degioanni at gmail.com
Mon Jan 23 17:16:57 GMT 2006
First of all, WinPcap doesn't work only on Ethernet. It supports several
link layers, many of them don't have the same 4 bytes FCS that Ethernet
packets have.
Regarding your question. WinPcap captures what the underlying system
(i.e. the NIC driver, through the Microsoft NDIS framework) delivers to
it. WinPcap is able to return the CRC if it's included in the packet
from the NIC, but in most cases, the NIC or the NIC driver strip it from
the packet after checking it.
As a result:
- you don't see the CRC
- you don't see packets with wrong CRC, because they are rejected by the
underlying layers
When the description of a packet says "214 Bytes on wire", this normally
means that on an Ethernet network were transmitted
214 + Preamble + Start Frame Delimiter + FCS + Inter Frame Gap
Which if I remember well brings to 214 + 24 = 238 bytes.
Regarding the 47 bytes on wire: I assume these are packets leaving your
machine. In that case, WinPcap receives the packets *before* they go to
the wire, thanks to the NDIS "loopback" mechanism. In this situation,
the short packets are not padded to 60 (the minimum frame size on
Ethernet networks) yet.
Loris
Gerhard Ebner wrote:
> I have two very special questions
>
> is it right, that winpcap doesn't capture the FCS?
>
> does that mean?
>
> when the description of a packet says "214 Bytes on wire" then there
> are in reality 218 Byte plus preamble?
>
> sometimes I see only 47 bytes on wire
>
> I thought there must at least be 64
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list