4

Can anyone tell me what the "Length" column in WireShark refers to?

I'm pretty sure it's the "size" of the entire frame on the wire. I did some calculations, but I didn't get the number that WireShark is reporting.

Does anyone know what the "length" includes? I read somewhere that the preamble (7 octets), start of frame delimiter (1 octet), and FCS (4 octets) aren't normally captured, but does this mean that WireShark still adds these numbers to get to the "length" calculation?

slantalpha
  • 305
  • 1
  • 4
  • 15

3 Answers3

8

It's the count of the bytes that were captured for that particular frame; it'll match the number of bytes of raw data in the bottom section of the wireshark window.

The contents of the capture depend on how the capture was done, but typically a capture grabs from the start of the header to the end of the payload.

Click on the decoded protocol parts in the wireshark window, it will highlight which parts of the data are part of which protocol and what the different headers captured mean.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
6

See Shane Madden's answer.

Also note that

  1. Wireshark doesn't add numbers to get that length, it gets the number from libpcap/WinPcap, which gets it from the underlying capture mechanism, which usually gets the number from the device driver, which typically gets it from the hardware.
  2. On Ethernet, the preamble and SOF delimiter are rarely captured (I don't think it's ever captured by regular Ethernet hardware and regular Ethernet device drivers), and the FCS is usually not captured but sometimes might be (the reason why Wireshark has heuristics to try to guess whether there's an FCS or not is that the Ethernet adapter and Mac OS X driver on at least one machine I was using did supply the FCS, so incoming packets included the FCS, although outgoing packets didn't.
  3. On other networks, It Depends(TM). For 802.11, you might or might not get the FCS, and you might also get a header before the 802.11 header containing radio metadata (data rate, channel, etc.; that data is not data that was transmitted as bits on the air, but it does show up in the packet data and does get counted as part of the length. For PPP, you might or might not see the FCS and, for PPP in HDLC-like framing, you might or might not see the HDLC-like header.

Also, for Ethernet, see my answer to this question about capturing the preamble, SFD, and FCS.

Community
  • 1
1

In short, It is the size of the network packet which is mentioned on the packet details pane.

Wireshark Packet Details Frame GUI

jxramos
  • 759
  • 1
  • 8
  • 11
Bharath WAJ
  • 11
  • 1