Reputation: 701
Seeing Wireshark Packets that are smaller than they should be
When trying to parse .pcap files from wireshark, collecting TCP packets. I am attempting to parse these files using the information listed here: https://wiki.wireshark.org/Development/LibpcapFileFormat
The TCP packets being sent accross have a paramerater state the size of the packet. However, often this size is greater than the wireshark packet header is set on top of each packet. However these packet sizes are much less then the snap len global packet header (which if I understand is the greatest a packet captured could be).
Is there a property of TCP I am not seeing? I don't understand how wireshark could be capturing less than the packet size itself.
Upvotes: 0
Views: 260
Answers (1)
Reputation: 6284
I am going to guess that you are capturing packets on a particular host (Host B in this example: https://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_on_the_machine_you.27re_interested_in), and it is some of those packets transmitted from Host B that are smaller in size than you expect. Assuming this is the case, it is because Wireshark is handed packets by the capture mechanism before any necessary padding is added by the controller due to hardware offloading.
For further reading, I direct you to Jasper Bongertz's blog post, The drawbacks of local packet captures.
Upvotes: 2
Related Questions
- Wireshark Displayed Packets
- tcpdump / wireshark capturing problems
- TCP client receives packet sizes different than the server sends
- Bogus TCP Header Length When Examining Packets in Tshark
- Strange Wireshark behaviour (A single packet labeled both TCP and UDP)
- Why is my program reporting more captured packets than Wireshark?
- Wireshark and length of data
- Tcp packet of 60 bytes sent with no data
- wireshark and tcpdump -r: strange tcp window sizes
- Why are TCP messages in my PC coming in frames of 590 bytes