Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ARP traffic in Wireshark is not as I expected

ARP traffic in Wireshark is not as I expected 9 years 1 month ago #23791

  • SteveP
  • SteveP's Avatar
  • Offline
  • Distinguished Member
  • Posts: 161
  • Karma: 0
Hi Everyone

I'm in the middle of some network courses (CompTIA N+ and CCNA) and my main area of interest is network security. I have XP Pro SP2 connected via wireless to an ADSL router and I've examined traffic on my network with WinDump and Wireshark. I understand that the minimum and maximum length of an ethernet frame is 64 and 1518 bytes respectively (destination MAC = 6, source MAC = 6, type = 2, data = 46 to 1500 and CRC = 4).

I launched Wireshark then ran some commands at the CMD console and navigated to some new web pages. I examined the capture and, in particular, ARP in the protocol column. I was surprised to see that each frame was reported as "42 bytes on wire, 42 bytes captured" and the protocols in the frame were reported as "eth:arp" (I checked carefully and counted the number of bytes in the frame as 42 decimal rather than 42 hex). I was under the impression that, if the data section of the ethernet frame is less than 46 bytes, padding is added to fill up to 46 bytes.

I've seen a video by Laura Chappell (expert at Wireshark University) which shows an ethernet/arp frame and it does show padding to fill the ethernet data section to the minimum necessary.

I have the most recent version of Wireshark (0.99.6a) and have installed WinPcap version 4.0.1 which the Wireshark installation recommended.

Does anyone have any idea why the padding isn't shown on my system?

One final things is I realise that the preamble and CRC of the ethernet frame aren't displayed (confirmed in the Wireshark wiki). Is there any way that I could see this information? It's of no practical value, I'd just like to know if it can be displayed in some way.

Thanks for your time (and patience!).
The administrator has disabled public write access.

Re: ARP traffic in Wireshark is not as I expected 9 years 1 month ago #23800

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Mine does the same. It doesn't appear to be showing the CRC
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: ARP traffic in Wireshark is not as I expected 9 years 1 month ago #23814

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Hmm. Never noticed that. Is that a bug?
The administrator has disabled public write access.

Re: ARP traffic in Wireshark is not as I expected 9 years 1 month ago #23826

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
It looks more like the padding is missing. This could be due to a vulnerability in some tcp/ip stacks where data can leak through the padding ?

xforce.iss.net/xforce/xfdb/10996
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: ARP traffic in Wireshark is not as I expected 9 years 1 month ago #23827

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Also, Wireshark doesn't display the FCS see wiki.wireshark.org/Ethernet

Not sure where the rest as gone (must be padding)
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: ARP traffic in Wireshark is not as I expected 9 years 1 month ago #23829

  • SteveP
  • SteveP's Avatar
  • Offline
  • Distinguished Member
  • Posts: 161
  • Karma: 0
Thank you for the feedback. Here's the video by Laura Chappell (hxxp://www.wireshark.org/news/20070924.html) which shows padding (zeros as well as faulty padding, as concurred by Smurf).

I don't know which version of Wireshark is used in the video. I wonder if anyone has a different version (or a previous version of Ethereal) to check if this behaviour is only demonstrated in Wireshark v0.99.6a and Winpcap v4.0.1? If eveything's OK with a different version, I think I'll report it as a bug which they can investigate.
The administrator has disabled public write access.
Time to create page: 0.087 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup