billybob2
billybob2

Reputation: 701

Seeing Wireshark Packets that are smaller than they should be

When trying to parse .pcap files from wireshark, collecting TCP packets. I am attempting to parse these files using the information listed here: https://wiki.wireshark.org/Development/LibpcapFileFormat

The TCP packets being sent accross have a paramerater state the size of the packet. However, often this size is greater than the wireshark packet header is set on top of each packet. However these packet sizes are much less then the snap len global packet header (which if I understand is the greatest a packet captured could be).

Is there a property of TCP I am not seeing? I don't understand how wireshark could be capturing less than the packet size itself.

Upvotes: 0

Views: 260

Answers (1)

Christopher Maynard
Christopher Maynard

Reputation: 6284

I am going to guess that you are capturing packets on a particular host (Host B in this example: https://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_on_the_machine_you.27re_interested_in), and it is some of those packets transmitted from Host B that are smaller in size than you expect. Assuming this is the case, it is because Wireshark is handed packets by the capture mechanism before any necessary padding is added by the controller due to hardware offloading.

For further reading, I direct you to Jasper Bongertz's blog post, The drawbacks of local packet captures.

Upvotes: 2

Related Questions