tcpdump mailing list archives
pcap_next() caplen is off by 14 bytes (L2 len)
From: "Aaron Turner" <synfinatic () gmail com>
Date: Tue, 20 Mar 2007 00:43:24 -0700
So I'm very confused. Basically I have a loop: while ((pktdata = pcap_next(pin, pkthdr_ptr)) != NULL) { packetnum++; dbgx(2, "packet " COUNTER_SPEC " caplen %d", packetnum, pkthdr.caplen); <do something with pktdata> } But when pkthdr.caplen != pkthdr.len for the original packet (as viewed by Wireshark 0.99.6) the pkthdr.caplen is 14 bytes (length of the L2 header of ethernet) smaller then it should be. Basically, it appears that libpcap is cutting the caplen off by 14 bytes, even though the data is clearly there: packet dump example from tcpdump -XX: 0x0000: 0000 0000 0001 0002 3b00 3dce 0800 4500 ........;.=...E. 0x0010: 05dc 43f3 4000 2f06 f3bf 401c 4396 d81b ..C.@./...@.C... 0x0020: b29b 0050 8003 719d a602 6d05 bff5 8010 ...P..q...m..... 0x0030: 1b80 84cb 0000 0101 080a 1bc3 e4db 0008 ................ 0x0040: 36eb 646f 742e 6f72 672f 6367 692d 6269 6.dot.org/cgi-bi 0x0050: 6e2f 6164 6c6f 672e 706c 3f69 6e64 6578 n/adlog.pl?index 0x0060: 2c74 6b67 6b30 3139 3265 6e27 2054 4152 ,tkgk0192en'.TAR 0x0070: 4745 543d 5f74 6f70 3e22 293b 0a64 6f63 GET=_top>");.doc 0x0080: 756d 656e 742e 7772 6974 6528 223c 494d ument.write("<IM same packet from wireshark: 0000 00 00 00 00 00 01 00 02 3b 00 3d ce 08 00 45 00 ........;.=...E. 0010 05 dc 43 f3 40 00 2f 06 f3 bf 40 1c 43 96 d8 1b ..C.@./...@.C... 0020 b2 9b 00 50 80 03 71 9d a6 02 6d 05 bf f5 80 10 ...P..q...m..... 0030 1b 80 84 cb 00 00 01 01 08 0a 1b c3 e4 db 00 08 ................ 0040 36 eb 64 6f 74 2e 6f 72 67 2f 63 67 69 2d 62 69 6.dot.org/cgi-bi 0050 6e 2f 61 64 6c 6f 67 2e 70 6c 3f 69 6e 64 65 78 n/adlog.pl?index 0060 2c 74 6b 67 6b 30 31 39 32 65 6e 27 20 54 41 52 ,tkgk0192en' TAR 0070 47 45 54 3d 5f 74 6f 70 3e 22 29 3b 0a 64 6f 63 GET=_top>");.doc 0080 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 49 4d ument.write("<IM 0090 47 20 53 52 43 3d 27 68 74 74 70 3a 2f 2f G SRC='http:// notice the addtional 14 byes in the wireshark decode: "G SRC='http://" This only happens when pkthdr.len != pkthdr.caplen. For the record, this is libpcap 0.9.5 under OS X. Thanks, Aaron -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)