CODEWITHSUNDEEP
network-programmingwiresharklibpcap
Mark
Mark

Reputation: 6484

How does wireshark calculate number of short frames

Statistics->Protocol Hierarchy shows various statistics, including short frame counts. How does wireshark count this, and what does it consider as short frames? Is it the same as packets that were intentionally truncated during capturing? (in this case caplen field of struct pcap_pkthdr would be less than len, which is IP payload size).

However, when I implemented simple application (use libpcap) to read pcap, and counted that way (caplen vs. len), my numbers are slightly higher than what wireshark reports.

Wireshark Version 2.2.6, capture contains TLS, i.e. over TCP. Wireshark ProtocolHierarchy menu reports 15240 SSL packets, and 13640 short frames out of these 15240.

Upvotes: 1

Views: 426

Answers (1)

Vasil Velichkov
Vasil Velichkov

Reputation: 1324

How does wireshark count this, and what does it consider as short frames?

When Wireshark catches a BoundsError or ScsiBoundsError exception then it marks the frame as short frame.

From epan/show_exception.c:41

        proto_short = proto_register_protocol("Short Frame", "Short frame", "_ws.short");

From epan/show_exception.c:81-104

        case BoundsError:
                {   
                gboolean display_info = TRUE;

                ....................................

                if (display_info)
                        col_append_str(pinfo->cinfo, COL_INFO, "[Packet size limited during capture]");
                proto_tree_add_protocol_format(tree, proto_short, tvb, 0, 0,
                                "[Packet size limited during capture: %s truncated]", pinfo->current_proto);
                /* Don't record BoundsError exceptions as expert events - they merely
                 * reflect a capture done with a snapshot length too short to capture
                 * all of the packet
                 * (any case where it's caused by something else is a bug). */
        }

Is it the same as packets that were intentionally truncated during capturing?

Yes, it should be. But I would say that a small difference is possible as Wireshark does not count the short frames directly as you do in your application but the count depends on exceptions that may not be thrown because of some bugs.

(in this case caplen field of struct pcap_pkthdr would be less than len, which is IP payload size).

Correct.

However, when I implemented simple application (use libpcap) to read pcap, and counted that way (caplen vs. len), my numbers are slightly higher than what wireshark reports.

It's either a bug in Wireshark or in your code. You can use _ws.short filter to view all short frames in Wireshark and then try finding a frame that your app detects as short but Wireshark does not.

Wireshark Version 2.2.6, capture contains TLS, i.e. over TCP

Your version is a bit outdated. The latest version is 3.2.1 so consider upgrading or at least test with both versions.

Upvotes: 1

Related Questions