[Winpcap-users] Ethernet Trailer
Guy Harris
guy at alum.mit.edu
Sun Oct 21 16:57:36 GMT 2007
ceo wrote:
> I sniff with Ethereal and find from time to time an "Ethernet
> Trailer" of a
> few bytes.
> What porpose does it serve?
At least on non-switched Ethernets, access to the Ethernet cable or hub
is arbitrated by a technique called Carrier Sense Multiple Access with
Collision Detection:
http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/csma-cd.html
As it notes, in order for that to work, Ethernet requires a frame to
have a minimum of 46 bytes of payload; with a 14-byte Ethernet header,
that's a minimum of 60 bytes (64 if you include the CRC at the end of
the frame, but that's not always captured - sometimes the Ethernet
adapter doesn't provide that to the host).
> How does the sniffer software discovers that?
Most protocols running atop Ethernet either
1) use the field in the Ethernet header after the source address as a
length field rather than a type field
or
2) have a length field in their own header (IPv4 and IPv6, for example,
do).
Those length fields indicate the *real* length of a packet for that
protocol, so that any extra padding at the end of the Ethernet packet
can be recogized as such.
> Can someone indicate some reference in the Internet on that?
For the padding, see the document with the URL given above, and look at
the "Collision Detection" section.
More information about the Winpcap-users
mailing list