tcpdump mailing list archives
Re: pcap_next() caplen is off by 14 bytes (L2 len)
From: Guy Harris <guy () alum mit edu>
Date: Tue, 20 Mar 2007 01:24:04 -0700
Aaron Turner wrote:
notice the addtional 14 byes in the wireshark decode: "G SRC='http://"
When you say "same packet", do you mean that you ran "tcpdump -XX" on a capture file, and ran Wireshark on the same capture file, and got the "packet dump example from tcpdump -XX" output from tcpdump and the "same packet from wireshark" output in the hex dump pane in Wireshark?
Or was one, or the other, of those a live capture? And how were those packets captured? Is your program doing a live capture or reading from a capture file?What snapshot length did you use when doing the capture or captures (snaplen argument in pcap_open_live, "-s" argument in tcpdump or TShark, whatever the dialog box says in Wireshark)?
This only happens when pkthdr.len != pkthdr.caplen. For the record, this is libpcap 0.9.5 under OS X.
Which OS X release? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Aaron Turner (Mar 20)
- Re: pcap_next() caplen is off by 14 bytes (L2 len) Guy Harris (Mar 20)