Re: Libpcap recieves partial packets (pcap_pkthdr.caplen<pcap_pkthdr.len)

[Michael Richardson <mcr () sandelman ca>]

> > > > > "Hrju" == Hrju Blja <dljavsjakojhujni () gmail com> writes:
    Hrju> Hi, I develop a Linux sniffer application , which uses libpcap
    Hrju> 1.2.0 library.  The problem is that on some 2.6.16 and 2.4
    Hrju> kernel machines, which are pretty much "usual", SOMETIMES SOME
    Hrju> packets are captured partially, i.e.  tpacket_hdr structure
    Hrju> tp_snaplen value is less then tp_len value. I see this right
    Hrju> after that libpcap code calls RING_GET_FRAME on pcap_t handle,
    Hrju> so my assumption is that libpcap in not "guilt" here, but some
    Hrju> kernel infrastructure is.

    Hrju> After short investigation I found that in create_ring()
    Hrju> function the max frame size is set to MTU size + 18. It did
    Hrju> not help, but confused even more - my partial packets are of
    Hrju> size much larger then the NIC MTU, e.g MTU size is 1500, while
    Hrju> partial packets captured size is 3128, and 3400 on wire .

Another possibility is that you have something in your network stack
which is assembling fragments for you prior to reaching the point where
pcap hook occurs.

I wouldn't expect to see any such thing on a stock kernel, but I have
seen it with various proprietary "firewalls" and bridge interfaces
(VMware used to plug into the network at a bad place, I thought that
this was fixed years ago, however), and also with some vendor's Network
Accelerator/TCP-offload cards.

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
                       then sign the petition. 


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.