On Jul 19, 2019, at 9:30 AM, Jasper Bongertz <jasper@xxxxxxxxxxxxxx> wrote:
> so if I get this right you expect to end up with a frame where length of the original
> content is less than what ends up in the pcap because meta data is added? This
> usually happens by adding a trailer to the Ethernet frame,
Not necessarily. See the examples I gave, in which case it's done by adding a header to the frame.
> If you have a capture device that wants to write additional detail about a frame
> to the capture file you should choose pcapng instead.
Or choose a different link-layer header type, which works with pcap or pcapng, as per the examples I gave.