Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump with snaplen set to 128

From: Perry Smith <pedzsan () gmail com>
Date: Mon, 15 Oct 2012 18:01:38 -0500

On Oct 15, 2012, at 3:42 PM, Guy Harris wrote:



On Oct 15, 2012, at 12:54 PM, Perry Smith <pedzsan () gmail com> wrote:


With a fairly simple ftp trace where we capture only the first 128 bytes of data, wireshark displays that it did not 
see the previous segment.  The IP header says that it is a 1500 byte packet.  Wireshark is using the capture lengh 
of 128 instead of the real packet length.  e.g. the next sequence is the current sequence plus the captured length, 
not the IP packet length.


If by "sequence" you mean TCP sequence number, and the actual packet length as recorded in the file is more than 128 
bytes, that would *absolutely* be a Wireshark bug - the captured length should be used in as few places as possible; 
it should *only* be used to check whether particular packet data is actually available in the captured data, it 
should *never* be used as an indication of how much data there actually *is*.

However, I'm not seeing that in a tcpdump capture I did with a snapshot length of 128; in the Frame section of the 
1500-byte IP datagram, what do the "Frame Length" and "Capture Length" fields say?  "Frame Length" *should* say 1514 
(I'm assuming from the "1500" that this is IP-over-Ethernet, with a 14-byte Ethernet header); if it's only 128, the 
file wasn't recorded correctly (or was recorded by software that, for some reason, wasn't able to get the packet's 
actual length).


Yes.  "sequence" referred to the TCP sequence number.

Hmm...  odd... I see what you are saying.

Frame Length and Capture Length both say 128 bytes.

This was a 1500 byte packet with ethernet header (no vlan tag) -- so probably 1514.  The very first line essentially 
repeat these values too.  I noticed it but didn't put 2 and 2 together.  "128 bytes on the wire (1024 bits), 128 bytes 
captured (1024 bits)"

Let me ask the person who capture it how he did it and see where that takes us.  This has happened more than once but 
may have used the same tools to capture the trace.

Back on my original question: would you say that sense the Frame Length is bogus, wireshark is doing as well as 
expected?

Thank you very much for your time,
Perry Smith

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: