[pcap-ng-format] The captured length of an SBP packet must take into account the packet length
Guy Harris
guy at alum.mit.edu
Sat Sep 28 20:33:15 UTC 2013
To quote a comment I just checked into the pcap-ng support code in Wireshark, the captured length of a packet in an SPB must be the minimum of:
the number of bytes available for packet data in the block (it obviously can't be greater than that);
the snapshot length from the IDB (which should limit the length of all packets);
the packet length (you can't capture bytes that aren't there).
The first of the three values will always be a multiple of 4 in a valid pcap-ng file, so there needs to be *some* way to eliminate padding. The second value will do so if the snapshot length is less than the amount of bytes available for packet data, but not if it's greater; the third value will do so if the packet length is less than the amount of bytes available for packet data, but not if it's greater. Therefore, we need to do both checks.
The spec speaks of the snapshot length, but not the packet length. If we're not going to get rid of the SPB, we should update the spec to mention this.
More information about the pcap-ng-format
mailing list