Wireshark · Wireshark-dev: Re: [Wireshark-dev] Option to disable Expert Info for issue with frame length

Wireshark-dev: Re: [Wireshark-dev] Option to disable Expert Info for issue with frame length

From: Duy Khanh Pham <khanh@xxxxxxxxxxxxxxx>

Date: Thu, 30 Mar 2023 02:10:11 +0900

Sorry for my late reply,

From your article, I understand that the Captured Packet Length is the Frame Length/Length on wire/real length and Original Packet Length is the "Capture Length/captured length" in the attached picture.

My issue is that the capture card in our system always writes packets with "Original Packet Length" bigger than or equal to the "Captured Packet Length" (attached example pcap file). In your article, "Original Packet Length" can be greater than "Captured Packet Length", so I don't think that is an error from my capture card.

Since Wireshark marks this issue as a malformed error, I think it also leads to incorrect FCS checking.

Please help me correct my understanding if I'm wrong.

Best regards,

Khanh

frame_error.pcap

On Thu, Mar 23, 2023 at 11:35 AM Guy Harris <gharris@xxxxxxxxx> wrote:

On Mar 22, 2023, at 11:40 AM, Duy Khanh Pham via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:

> My case for this request is when doing network data capturing with a capture card. The capture card always sets the capture length to a multiple of 4 due to performance requirement.
>
> As a result, the real length will always be less than or equal to the set captured length.

What do you mean here by "capture length"?

In the record header of packet records in pcap files:

https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcap.html#name-packet-record

the two length fields are defined as follows:

Captured Packet Length (32 bits):
an unsigned value that indicates the number of octets captured from the packet (i.e. the length of the Packet Data field). It will be the minimum value among the Original Packet Length and the snapshot length for the interface (SnapLen, defined in Figure 1).

Original Packet Length (32 bits):
an unsigned value that indicates the actual length of the packet when it was transmitted on the network. It can be different from the Captured Packet Length if the packet has been truncated by the capture process; it SHOULD NOT be less than the Captured Packet Length.

A pcap file writer MAY write an Original Packet Length that is less than the Captured Packet Length if both the Captured Packet Length and the Original Packet length came from a file in which a packet had an Original Packet Length less than the Captured Packet Length; otherwise, it MUST write an Original Packet Length that is greater than or equal to the Captured Packet Length.

A pcap file reader MAY convert an Original Packet Length that is less than the Captured Packet Length to a value that is greater than or equal to the Captured Packet Length.

and, in the block header of Enhanced Packet Blocks in pcapng files:

https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcapng.html#name-enhanced-packet-block

they are defined as follows:

* Captured Packet Length (32 bits): an unsigned value that indicates the number of octets captured from the packet (i.e. the length of the Packet Data field). It will be the minimum value among the Original Packet Length and the snapshot length for the interface (SnapLen, defined in Figure 10). The value of this field does not include the padding octets added at the end of the Packet Data field to align the Packet Data field to a 32-bit boundary.

* Original Packet Length (32 bits): an unsigned value that indicates the actual length of the packet when it was transmitted on the network. It can be different from the Captured Packet Length if the packet has been truncated by the capture process; it SHOULD NOT be less than the Captured Packet Length.

A pcapng file writer MAY write an Original Packet Length that is less than the Captured Packet Length if both the Captured Packet Length and the Original Packet length came from a file in which a packet had an Original Packet Length less than the Captured Packet Length; otherwise, it MUST write an Original Packet Length that is greater than or equal to the Captured Packet Length.

A pcapng file reader MAY convert an Original Packet Length that is less than the Captured Packet Length to a value that is greater than or equal to the Captured Packet Length.

Unless the capture card is slicing packets should, both the "captured length" and the "real length" should have the *exact same value*, which should reflect the number of bytes worth of packet data, *not* including any padding added by the capture card. In addition, the padding should *not* be written to the capture file.

So what does the "capture length" refer to for your capture card?

Attachment: Screenshot_14.png
Description: PNG image

Follow-Ups:
- Re: [Wireshark-dev] Option to disable Expert Info for issue with frame length
  - From: Guy Harris

References:
- [Wireshark-dev] Option to disable Expert Info for issue with frame length
  - From: Duy Khanh Pham
- Re: [Wireshark-dev] Option to disable Expert Info for issue with frame length
  - From: Guy Harris

Prev by Date: Re: [Wireshark-dev] Option to disable Expert Info for issue with frame length
Next by Date: Re: [Wireshark-dev] Option to disable Expert Info for issue with frame length
Previous by thread: Re: [Wireshark-dev] Option to disable Expert Info for issue with frame length
Next by thread: Re: [Wireshark-dev] Option to disable Expert Info for issue with frame length
Index(es):
- Date
- Thread