From the Core to the Cloud, See it All

Simplify, secure and scale your hybrid cloud infrastructure to accelerate digital innovation.

LEARN MORE

CLOUD VISIBILITY

GET A DEMO

DATACENTER VISIBILITY

GET A DEMO

NETWORK SECURITY

GET A DEMO

INDUSTRY

A Thriving Partner Ecosystem

Gigamon reseller and integration partners design, implement and optimize best-of-breed and validated joint solutions.

FIND A PARTNER

NOT A PARTNER?

ALREADY A PARTNER?

Proven Support and Services

Our global support team is committed to creating experiences of unmatched quality, scalability and efficiency.

MY GIGAMON

OVERVIEW

GET SUPPORT

COMMUNITY

Customer Success

Our global customers are empowered to transform their businesses and innovate with the power of complete network visibility and analytics.

CUSTOMERS

ANU

Australian National University

Fosters a safer campus community with Gigamon.

cegedim

Cegedim.cloud

Improves cloud infrastructure and visibility.

 

department of defense

Department of Defense

Confidently feeds different tool sets in the physical and the virtual world.

Resource Library

Your one-stop hub to explore content resources to stay current on the latest in network visibility and analytics.

RESOURCES

Network Tool Efficiency Evaluation

Efficient Tools Are Happy Tools

Answer a few questions and get real-time insights.

def-guide

Achieve Hybrid Cloud Observability

Strengthen visibility and security.

ebook

Deep Observability eBook

Supercharge your tools with real-time, actionable, packet-level intelligence.

WHY GIGAMON

We are the first company to deliver a unified visibility and analytics architecture across your hybrid infrastructure to simplify, secure and scale IT operations.

LEARN MORE

IN THE NEWS

COMPANY INFORMATION

Deep Observability

Supercharge Your Security and Observability Tools

Without deep observability, you're exposed.

Great Place to work

Join the Team

Become a part of the OneGigamon team. Search for your next opportunity.

SHARE
Uncategorized / March 31, 2016

Why Packet Slicing Displays 4 Bytes Less Than Configured

Ollie Sheridan  

When packet slicing packets and recording the subsequent output in Wireshark on a windows Laptop/PC, you will notice that you’re missing 4 bytes of data. For example, when slicing at 64 bytes you will only see a maximum of 60 bytes in Wireshark when using this configuration:

gsop alias GS-Slice slicing protocol none offset 64 port-list gsg1

Note that I have chosen “none” as the starting point which essentially means that the offset starts from the beginning of the Ethernet Frame.

This shows up with only 60 bytes displayed (not what we were looking for!) as follows:

PacketSlicing-1

The reason for this is that the GigaSMART module is slicing the packet (read: Ethernet frame) correctly as it includes the CRC (aka FCS) on the packet. When the packet is received by the Windows NIC card driver it actually removes the CRC from the packet (this is actually performed by the WinPcap driver) before passing it to the Wireshark program for display. It’s probably worthwhile mentioning that the Windows NIC driver removes VLAN tags in the same way which is why they don’t show up in Wireshark either (unless loaded from a pcap file).

So if I change the slicing offset to 68 (i.e. 64 + 4) with the following configuration:

gsop alias GS-Slice slicing protocol none offset 68 port-list gsg1

…we get within Wireshark the results that we expect:

PacketSlicing-2

You will notice that there are some packets (e.g. packet #3) that are less than 64 bytes which is because they are less then 64 bytes on the wire. It’s worth mentioning at this point that the windows driver (WinPcap) also removes all the padding, as the Ethernet standard dictates that Ethernet frames must be a minimum of 64 bytes. This would obviously be different if displayed in a more advanced protocol analyzer.

The packets do look odd as Wireshark correctly points out that the IP Length field differs from the packet captured, so to get around that you can alter the snaplen when capturing – to see how to do that you can read about it here.

To illustrate this, the below shows the same packets displayed in Wireshark with a snaplen of 48 (note that the snaplen has to be less than the sliced packet size received by Wireshark):

PacketSlicing-3

    COMPANY
    GET HELP
    PRODUCTS & SOLUTIONS
    POPULAR LINKS
    • ©Gigamon 2022
    Back to top