tcpdump mailing list archives

pcap_next() caplen is off by 14 bytes (L2 len)

From: "Aaron Turner" <synfinatic () gmail com>
Date: Tue, 20 Mar 2007 00:43:24 -0700

So I'm very confused.  Basically I have a loop:

   while ((pktdata = pcap_next(pin, pkthdr_ptr)) != NULL) {
       packetnum++;
       dbgx(2, "packet " COUNTER_SPEC " caplen %d", packetnum, pkthdr.caplen);

       <do something with pktdata>

   }

But when pkthdr.caplen != pkthdr.len for the original packet (as
viewed by Wireshark 0.99.6) the pkthdr.caplen is 14 bytes  (length of
the L2 header of ethernet) smaller then it should be.  Basically, it
appears that libpcap is cutting the caplen off by 14 bytes, even
though the data is clearly there:

packet dump example from tcpdump -XX:
       0x0000:  0000 0000 0001 0002 3b00 3dce 0800 4500  ........;.=...E.
       0x0010:  05dc 43f3 4000 2f06 f3bf 401c 4396 d81b  ..C.@./...@.C...
       0x0020:  b29b 0050 8003 719d a602 6d05 bff5 8010  ...P..q...m.....
       0x0030:  1b80 84cb 0000 0101 080a 1bc3 e4db 0008  ................
       0x0040:  36eb 646f 742e 6f72 672f 6367 692d 6269  6.dot.org/cgi-bi
       0x0050:  6e2f 6164 6c6f 672e 706c 3f69 6e64 6578  n/adlog.pl?index
       0x0060:  2c74 6b67 6b30 3139 3265 6e27 2054 4152  ,tkgk0192en'.TAR
       0x0070:  4745 543d 5f74 6f70 3e22 293b 0a64 6f63  GET=_top>");.doc
       0x0080:  756d 656e 742e 7772 6974 6528 223c 494d  ument.write("<IM

same packet from wireshark:
0000   00 00 00 00 00 01 00 02 3b 00 3d ce 08 00 45 00  ........;.=...E.
0010   05 dc 43 f3 40 00 2f 06 f3 bf 40 1c 43 96 d8 1b  ..C.@./...@.C...
0020   b2 9b 00 50 80 03 71 9d a6 02 6d 05 bf f5 80 10  ...P..q...m.....
0030   1b 80 84 cb 00 00 01 01 08 0a 1b c3 e4 db 00 08  ................
0040   36 eb 64 6f 74 2e 6f 72 67 2f 63 67 69 2d 62 69  6.dot.org/cgi-bi
0050   6e 2f 61 64 6c 6f 67 2e 70 6c 3f 69 6e 64 65 78  n/adlog.pl?index
0060   2c 74 6b 67 6b 30 31 39 32 65 6e 27 20 54 41 52  ,tkgk0192en' TAR
0070   47 45 54 3d 5f 74 6f 70 3e 22 29 3b 0a 64 6f 63  GET=_top>");.doc
0080   75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 49 4d  ument.write("<IM
0090   47 20 53 52 43 3d 27 68 74 74 70 3a 2f 2f        G SRC='http://


notice the addtional 14 byes in the wireshark decode: "G SRC='http://";

This only happens when pkthdr.len != pkthdr.caplen.  For the record,
this is libpcap 0.9.5 under OS X.

Thanks,
Aaron

--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)
  - Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
    - Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)
    - Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
    - Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)
    - Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
    - Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
    - Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)