Is the 64-byte minimal Ethernet packet rule respected in practice?

ethernet

A quick WireShark scan of my network interface reveals a bunch of Ethernet packets which are less than 64 bytes in length. I know that WireShark strips off the trailing 4 byte CRC, but I still see some ARP packets with 42 bytes, some IGMPv3 with 54 bytes and some TCP with 54 bytes.

Is the 64-byte minimum Ethernet packet rule respected? What are the consequences of not respecting the rule?


Solution 1:

If you look more carefully, you will notice that all frames which are shorter than the minimum frame size (60 bytes without FCS) are frames which are transmitted by your machine. Received frames should be padded to 60 bytes without FCS; they contain the “Padding” field under “Ethernet II” in the Wireshark “Packet Details” window, which corresponds to those extra bytes.

At least in Linux, all transmitted frames which are shorter than 60 bytes should be automatically padded by the network driver (or even NIC hardware) before the transmission, but Wireshark does not show this, because frames are copied to the packet socket used by Wireshark before that padding is added.

Originally the minimum frame size was specified to make the CSMA/CD protocol used for the shared Ethernet medium work properly — reliable collision detection requires that the time needed to transmit a frame (which is proportional to its size together with all headers and preamble) must be greater than the signal propagation time between any two stations. Current Ethernet is in most cases not actually a shared medium (switches with full-duplex links do not perform collision detection). Technically enforcing a minimum frame size would not be required on a full-duplex link, but it is still done for compatibility reasons.

Since Gigabit Ethernet the 64-byte minimum frame size is no longer enough for collision detection when using practical cable lengths, and simply increasing the minimum frame size would lead to significant waste of bandwidth, therefore the Carrier Extension mechanism is introduced for half-duplex gigabit links (see also here for more information). Carrier extension is implemented in network hardware and not visible to software. In theory, using carrier extension makes enforcing the minimum frame size optional for half-duplex links, and with full-duplex links neither carrier extension nor minimum frame size are needed. However, the 64-byte minimum frame size is still kept, probably for compatibility with old software which could expect it.

Solution 2:

This a one of those "it depends" questions I'm afraid

Is the 64-byte minimum Ethernet packet rule respected?

On what? a switch, between NICs etc?

What are the consequences of not respecting the rule?

Again on what and how?

Generally the worst case scenario is the packets get dropped, that's it, it won't set your data centre on fire (though don't quote me on that, not in any legal documents anyway :) ). If it hits a router it'll probably be reframed anyway on the way out and on a switch it'll either get through or not - pretty binary really.

Solution 3:

I have also noticed that when wireshark is run on the system that is sending the packet, it can be displayed as fewer than 60 bytes. But, if you capture that particular packet on the receiving system, it will be padded out to 60 bytes with zeroes.

Related

Can XFS or GlusterFS replace my ZFS needs?
LDAP distinguished name validator
What tools should I use for DNS diagnostic?
What is the purpose of openssl passwd
Changing language on the fly, in running iOS, programmatically
view all possible attributes of an objectClass for LDAP
Can't install nginx using epel repo on Centos 7 (64bit)
HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed
Disable windows file shares without losing share config
Forward one IP to a docker container
How do I include subclasses in Swagger API documentation/ OpenAPI specification using Swashbuckle?
Regex for multiple sshd Received disconnect from ... [preauth]