Reputation: 701
When trying to parse .pcap files from wireshark, collecting TCP packets. I am attempting to parse these files using the information listed here: https://wiki.wireshark.org/Development/LibpcapFileFormat
The TCP packets being sent accross have a paramerater state the size of the packet. However, often this size is greater than the wireshark packet header is set on top of each packet. However these packet sizes are much less then the snap len global packet header (which if I understand is the greatest a packet captured could be).
Is there a property of TCP I am not seeing? I don't understand how wireshark could be capturing less than the packet size itself.
Upvotes: 0
Views: 260
Reputation: 6284
I am going to guess that you are capturing packets on a particular host (Host B
in this example: https://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_on_the_machine_you.27re_interested_in), and it is some of those packets transmitted from Host B
that are smaller in size than you expect. Assuming this is the case, it is because Wireshark is handed packets by the capture mechanism before any necessary padding is added by the controller due to hardware offloading.
For further reading, I direct you to Jasper Bongertz's blog post, The drawbacks of local packet captures.
Upvotes: 2