Ethernet Trailers seen as TCP Payload

Nov 25, 2010 at 11:10 AM

I am using pcap.net to pull out the data from TCP communications in pcap captures.

The issue I have seen is some of the ethernet frames have a 6 byte trailer. this is beeing seen by pcap.net as tcp payload and I have not found a way of ignoring these packets.

Has anyone else come across this and found a way round it?

Nov 25, 2010 at 6:38 PM

I have managed to cope with the situation with using the calculation of TCP Data Length= IP length - (IP header length + TCP Header length). Any result will give me the number of bytes of TCP data rather than relying on the tcp.payloadLength which was returning the length of the ethernet trailer as a false result.

I am suing 0.6.0 as I need .NET 3.5 SP 1

Coordinator
Nov 28, 2010 at 8:54 AM

Hi 40pints,

 

Pcap.Net version 0.7.0 supports Ethernet Trailers.

Version 0.6.0 does not support them.

I recommend upgrading to 0.7.0 (Even though it does require VS2010 and .NET 4) so you can get full support for Ethernet Trailers.

If you have issues with Ethernet Trailers in 0.7.0 or later, do let me know.

 

Boaz.