Wireshark-dev: Re: [Wireshark-dev] Option to disable Expert Info for issue with frame length

Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 29 Mar 2023 11:23:11 -0700
On Mar 29, 2023, at 10:10 AM, Duy Khanh Pham <khanh@xxxxxxxxxxxxxxx> wrote:

> From your article, I understand that the Captured Packet Length is the Frame Length/Length on wire/real length and Original Packet Length is the "Capture Length/captured length" in the attached picture.
> 
> My issue is that the capture card in our system always writes packets with "Original Packet Length" bigger than or equal to the "Captured Packet Length" (attached example pcap file). In your article, "Original Packet Length" can be greater than "Captured Packet Length", so I don't think that is an error from my capture card.

Did you mean to say "Original Packet Length" when you said "Captured Packet Length" and to say "Captured Packet Length" when you said "Original Packet Length"?

The Internet Draft in question says that the "Original Packet Length" is the frame length/length onwire/real length:

	Original Packet Length (32 bits): an unsigned value that indicates the actual length of the packet when it was transmitted on the network.

and that the "Captured Packet Length" is the number of bytes in the capture:

	Captured Packet Length (32 bits): an unsigned value that indicates the number of octets captured from the packet (i.e. the length of the Packet Data field).

That is the exact *opposite* of

	the Captured Packet Length is the Frame Length/Length on wire/real length and Original Packet Length is the "Capture Length/captured length"