Re: [WinPcap-users] 60 Byte Minimum Packet, really?

Tue, 24 Aug 2004 12:47:11 -0700 

Rob Henningsgard wrote:

Can anyone tell me why Ethereal running with the latest WinPCap beta
can sniff the following ICMP echo request packet, correctly reporting its length as 47 bytes... 

Is that a packet being transmitted by the machine running Ethereal?  If
so, note that Ethereal is *NOT* capturing it from the network, it's just
getting a copy handed to it by the networking stack.  When it's
transmitted on an Ethernet, the packet on the Ethereal *WILL* be padded
to 60 bytes - if you capture it with a network analyzer capturing
packets on some machine *other* than the one sending it, you'll see a
length of 60 bytes.

...but when I stuff the same 47 bytes in a buffer and call pcap_sendpacket()
with a pointer to the buffer and a length of 47, WinPCap pads the packet
with $20's up to 60 bytes, causing Ethereal to capture this:


Is that also being transmitted by the machine running Ethereal?

If so, it might be a consequence of the way the Windows networking code
works - it might be that if the packet is transmitted through WinPcap,
it might be that the copy wrapped around as WinPcap input is wrapped
around after it's been padded to 60 bytes.

So can anyone tell me why a Motorola Ethernet card and a Linksys router
can happily transmit 47-byte ICMP echo request and reply packets all
day long, but pcap_sendpacket() cannot?  The previous answer; "the
minimum legal Ethernet packet is 60 bytes long," is not convincing in
the face of the obviously-acceptable packets I've been sniffing.


It's more convincing if you understand that

        1) Ethernet interfaces don't see their own packets, so if you're
capturing traffic on a machine that's sending packets, the packets being
transmitted by that machine are "wrapped around" as input for the
capture mechanism;

        2) that wrapping around can happen before the padding is done;

        3) the wrapping around might be done differently for packets being
transmitted through WinPcap.

Now, perhaps WinPcap is doing its own padding, so the driver doesn't
have to - but seeing packets shorter than 60 bytes proves nothing if the
packets are being transmitted by the machine capturing the packets.




==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/[EMAIL PROTECTED]/

To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================

Reply via email to