Wireshark mailing list archives
Re: “bytes on wire” vs. “bytes captured”
From: Guy Harris <guy () alum mit edu>
Date: Fri, 19 Jul 2019 09:48:18 -0700
On Jul 19, 2019, at 9:30 AM, Jasper Bongertz <jasper () packet-foo com> wrote:
so if I get this right you expect to end up with a frame where length of the original content is less than what ends up in the pcap because meta data is added? This usually happens by adding a trailer to the Ethernet frame,
Not necessarily. See the examples I gave, in which case it's done by adding a header to the frame.
If you have a capture device that wants to write additional detail about a frame to the capture file you should choose pcapng instead.
Or choose a different link-layer header type, which works with pcap or pcapng, as per the examples I gave. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- “bytes on wire” vs. “bytes captured” Holger Pfrommer (Jul 19)
- Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured” Jasper Bongertz (Jul 19)
- Re: “bytes on wire” vs. “bytes captured” Guy Harris (Jul 19)
- Re: “bytes on wire” vs. “bytes captured” Stephen Donnelly (Jul 21)
- Re: “bytes on wire” vs. “bytes captured” Holger Pfrommer (Jul 22)
- Re: “bytes on wire” vs. “bytes captured” Guy Harris (Jul 22)
- Re: “bytes on wire” vs. “bytes captured” Guy Harris (Jul 19)
- Re: [Wireshark-dev] “bytes on wire” vs. “bytes captured” Jasper Bongertz (Jul 19)