VMware Cloud Community
skendric
Contributor
Contributor
‎11-25-2012 05:30 AM
Jump to solution

Ethernet Frame Check Sequence set to 0x00000000

I'm intermittently seeing ARP frames (both requests and responses) equipped with an FCS set to all zeros.

On one particular VLAN, ~300,000 ARP frames in an ~hour, of which ~1100 contained an all-zeros FCS.  Casual inspection suggests that only Windows VMs are producing these odd ARPs.

I saw this first by capturing using Wireshark loaded on a Windows VM.  However, the trace I reference here was taken using a Fluke Optiview XG (one of its 'Network Ports', i.e. custom hardware capable of line-rate capture).

Seems to me that any frame with an FCS of all zeros will be dropped by receiving hosts ('bad FCS').

We're running vSphere 4.0.0 Build 385281

Here's a screen shot of one such frame.

sample-all-zeros-fcs-frame.png

For a trace, see https://vishnu.fhcrc.org/bad-fcs/

I'm trying to figure out how to capture all frames (not just ARPs) containing an FCS set to 0x0000, to see how wide spread this issue is.

Searching the Communities site for 'Frame Check Sequence', I haven't seen any postings which fit this

Suggestions for other search strings?  Anyone seen this already?

--sk

Stuart Kendrick

FHCRC

1 Solution

Accepted Solutions
SteveFuller2011
Enthusiast
Enthusiast
‎11-25-2012 11:28 PM
Jump to solution

I don't believe this is really an FCS of 0, but instead is Wireshark reading the all 0 trailer of the frame as the FCS.  The first thing to check is whether the capture actually includes the FCS. As per http://www.wireshark.org/faq.html#q7.10 most OS do not. support capturing the FCS.

The second thing will be to take a look at your Wireshark preferences. From the menu, select Edit -> Preferences, expand the Protocols section, scroll down to Ethernet and check the setting of the Assume Packets have FCS. If this is checked, Wireshark will do exactly as it says i.e., assume the packet has an FCS, and will give you the incorrect FCS error message you're seeing.

Regards

View solution in original post

2 Replies
SteveFuller2011
Enthusiast
Enthusiast
‎11-25-2012 11:28 PM
Jump to solution

I don't believe this is really an FCS of 0, but instead is Wireshark reading the all 0 trailer of the frame as the FCS.  The first thing to check is whether the capture actually includes the FCS. As per http://www.wireshark.org/faq.html#q7.10 most OS do not. support capturing the FCS.

The second thing will be to take a look at your Wireshark preferences. From the menu, select Edit -> Preferences, expand the Protocols section, scroll down to Ethernet and check the setting of the Assume Packets have FCS. If this is checked, Wireshark will do exactly as it says i.e., assume the packet has an FCS, and will give you the incorrect FCS error message you're seeing.

Regards

skendric
Contributor
Contributor
‎11-26-2012 06:55 AM
Jump to solution

Yes, that's it.  For some reasons, some VMs are padding their ARPs with zeros ... and my capture technique strips the FCS ... Wireshark assumes that an ARP which exceeds 60 bytes must include an FCS, performs the FCS calculation on the last four bytes, and fails of course.

Thank you,

--sk

0 Kudos