pcap struct pcap_pkthdr len vs caplen

Question

We\'re sniffing packets using libpcap on linux The header we get on each packet looks like:

struct pcap_pkthdr {
        struct timeval ts;      /* time stamp */         


        

Answer 1

Yes your understanding is right Caplen is always less than Len . Sometimes we dont need to capture the whole packet . But why would'nt you capture the whole packet given a chance ? Because in a heavy network traffic that would'nt be a good idea . Are'nt we actually losing precious data if we dont capture the whole packet that appears on the wire ? No. Actually it depends on your purpose , if you just want to classify packets based on the protocols and the application it is destined to , u just need around 14 bytes( Ethernet ) plus 20 bytes ( Ip ) + plus another 20 ( Tcp ) thus you apparently need only 54 bytes of data to classify packets based on protocols , so a lot of load and time is saved on reducing the processing size from pcappkthdr->len to pcappkthdr->caplen :)

If the headers in the packets are corrupted ( meaning that if the headerlength values are messed up somehow ) then the captured length would be greater than the actual length of the packet .