pcap files with file header snaplen < packet header caplen

["Aaron Turner" <synfinatic () gmail com>]

Hi All,

I've seen this a few times where a pcap file header has a snaplen of
say 100 bytes, but then one or more packet headers say the caplen (and
actual packet data) is larger.  When you read this file with libpcap,
it returns the lesser of the two values and truncates the data
accordingly.

I guess I can understand why libpcap takes the min of snaplen &
caplen, but it would be nice if libpcap returned the actual captured
data rather then truncating it.

Unfortunately, I don't know where or how these pcap files were
generated, so I don't know what's causing this to happen or how
widespread it is.  Could this of been a bug in earlier versions of
libpcap??  Reading savefile.c I see a reference to a Solaris 2.3 bug,
but I'd guess this isn't the issue.

For reference, here's the beginning of one pcap file which has this issue:

00000000  d4 c3 b2 a1 02 00 04 00  00 00 00 00 00 00 00 00  |................|
00000010  64 00 00 00 01 00 00 00  9e 4e 6b 44 33 cc 0b 00  |d........NkD3...|
00000020  86 01 00 00 86 01 00 00  00 03 ba a1 96 41 00 c0  |.............A..|

Here we see little-endian formatted pcap file, where the file header
snaplen is 100 bytes and the first packet header caplen and len are
390 bytes.

Thanks,
Aaron

--
Aaron Turner
http://synfin.net/
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.