[pcap-ng-format] Issue #35: Is it legal for an EPB capture length value to be different than snaplen/origlen?
Hadriel Kaplan
the.real.hadriel at gmail.com
Sat Aug 29 14:52:29 UTC 2015
Currently the draft says this for EPB's (and the deprecated Packet
Block) Capture Length field:
"Captured Packet Length: number of bytes captured from the packet
(i.e. the length of the Packet Data field). It will be the minimum
value among the Original Packet Length and the snapshot length for the
interface (SnapLen, defined in Figure 10)."
So does this mean it MUST be MIN(SnapLen, Original Packet Length), and
cannot be more or less than it? (unless SnapLen is 0 obviously)
I ask because Wireshark currently just uses the Capture Length value,
ignoring the SnapLen and Original Packet Length. I had thought this
was just a bug in Wireshark, but I'm not sure it is. One could argue
that the IDB's SnapLen should only apply to the capture length of
Simple Packet Blocks.
-hadriel
More information about the pcap-ng-format
mailing list