On Mar 22, 2023, at 11:40 AM, Duy Khanh Pham via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:
> My case for this request is when doing network data capturing with a capture card. The capture card always sets the capture length to a multiple of 4 due to performance requirement.
>
> As a result, the real length will always be less than or equal to the set captured length.
What do you mean here by "capture length"?
In the record header of packet records in pcap files:
https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcap.html#name-packet-record
the two length fields are defined as follows:
Captured Packet Length (32 bits):
an unsigned value that indicates the number of octets captured from the packet (i.e. the length of the Packet Data field). It will be the minimum value among the Original Packet Length and the snapshot length for the interface (SnapLen, defined in Figure 1).
Original Packet Length (32 bits):
an unsigned value that indicates the actual length of the packet when it was transmitted on the network. It can be different from the Captured Packet Length if the packet has been truncated by the capture process; it SHOULD NOT be less than the Captured Packet Length.
A pcap file writer MAY write an Original Packet Length that is less than the Captured Packet Length if both the Captured Packet Length and the Original Packet length came from a file in which a packet had an Original Packet Length less than the Captured Packet Length; otherwise, it MUST write an Original Packet Length that is greater than or equal to the Captured Packet Length.
A pcap file reader MAY convert an Original Packet Length that is less than the Captured Packet Length to a value that is greater than or equal to the Captured Packet Length.
and, in the block header of Enhanced Packet Blocks in pcapng files:
https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcapng.html#name-enhanced-packet-block
they are defined as follows:
* Captured Packet Length (32 bits): an unsigned value that indicates the number of octets captured from the packet (i.e. the length of the Packet Data field). It will be the minimum value among the Original Packet Length and the snapshot length for the interface (SnapLen, defined in Figure 10). The value of this field does not include the padding octets added at the end of the Packet Data field to align the Packet Data field to a 32-bit boundary.
* Original Packet Length (32 bits): an unsigned value that indicates the actual length of the packet when it was transmitted on the network. It can be different from the Captured Packet Length if the packet has been truncated by the capture process; it SHOULD NOT be less than the Captured Packet Length.
A pcapng file writer MAY write an Original Packet Length that is less than the Captured Packet Length if both the Captured Packet Length and the Original Packet length came from a file in which a packet had an Original Packet Length less than the Captured Packet Length; otherwise, it MUST write an Original Packet Length that is greater than or equal to the Captured Packet Length.
A pcapng file reader MAY convert an Original Packet Length that is less than the Captured Packet Length to a value that is greater than or equal to the Captured Packet Length.
Unless the capture card is slicing packets should, both the "captured length" and the "real length" should have the *exact same value*, which should reflect the number of bytes worth of packet data, *not* including any padding added by the capture card. In addition, the padding should *not* be written to the capture file.
So what does the "capture length" refer to for your capture card?