Re: tcpdump with snaplen set to 128

[Guy Harris <guy () alum mit edu>]

On Oct 15, 2012, at 12:54 PM, Perry Smith <pedzsan () gmail com> wrote:

> With a fairly simple ftp trace where we capture only the first 128 bytes of data, wireshark displays that it did not 
> see the previous segment.  The IP header says that it is a 1500 byte packet.  Wireshark is using the capture lengh of 
> 128 instead of the real packet length.  e.g. the next sequence is the current sequence plus the captured length, not 
> the IP packet length.

If by "sequence" you mean TCP sequence number, and the actual packet length as recorded in the file is more than 128 
bytes, that would *absolutely* be a Wireshark bug - the captured length should be used in as few places as possible; it 
should *only* be used to check whether particular packet data is actually available in the captured data, it should 
*never* be used as an indication of how much data there actually *is*.

However, I'm not seeing that in a tcpdump capture I did with a snapshot length of 128; in the Frame section of the 
1500-byte IP datagram, what do the "Frame Length" and "Capture Length" fields say?  "Frame Length" *should* say 1514 
(I'm assuming from the "1500" that this is IP-over-Ethernet, with a 14-byte Ethernet header); if it's only 128, the 
file wasn't recorded correctly (or was recorded by software that, for some reason, wasn't able to get the packet's 
actual length).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe