[pcap-ng-format] What if a packet block has more packet data than specified by the SnapLen?
Guy Harris
guy at alum.mit.edu
Tue May 20 19:39:40 UTC 2014
The spec currently says, in the section on the IDB:
• SnapLen: maximum number of bytes dumped from each packet. The portion of each packet that exceeds this value will not be stored in the file. A value of zero indicates no limit.
and in the section on the EPB:
• Captured Len: number of bytes captured from the packet (i.e. the length of the Packet Data field). It will be the minimum value among the actual Packet Length and the snapshot length (defined in Figure 9). The value of this field does not include the padding bytes added at the end of the Packet Data field to align the Packet Data Field to a 32-bit boundary.
What happens if you have a file in which Captured Len, in an EPB or PB, is greater than SnapLen for the interface on which the packet was captured? Should Captured Len override SnapLen, with the packet being processed, so that SnapLen is informative (and possibly mis-informative), or should the block be treated as invalid and not processed?
More information about the pcap-ng-format
mailing list