pcap struct pcap_pkthdr len vs caplen
We\'re sniffing packets using libpcap on linux The header we get on each packet looks like:
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
-
Yes your understanding is right Caplen is always less than Len . Sometimes we dont need to capture the whole packet . But why would'nt you capture the whole packet given a chance ? Because in a heavy network traffic that would'nt be a good idea . Are'nt we actually losing precious data if we dont capture the whole packet that appears on the wire ? No. Actually it depends on your purpose , if you just want to classify packets based on the protocols and the application it is destined to , u just need around 14 bytes( Ethernet ) plus 20 bytes ( Ip ) + plus another 20 ( Tcp ) thus you apparently need only 54 bytes of data to classify packets based on protocols , so a lot of load and time is saved on reducing the processing size from pcappkthdr->len to pcappkthdr->caplen :)
If the headers in the packets are corrupted ( meaning that if the headerlength values are messed up somehow ) then the captured length would be greater than the actual length of the packet .
讨论(0) -
Your understanding is correct, at least based on the pcap man page.
caplen is the amount of data available to you in the capture. len was the actual length of the packet.
I'm not aware of any cases that would give you a caplen > len. I usually seem them being equal as my snaplen is sufficiently high.
讨论(0) -
If caplen > len, that's a bug; what version of libpcap are you using?
讨论(0)
加载中...
- 热议问题