Wireshark-users: Re: [Wireshark-users] tcpdump with snaplen set to 128

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 15 Oct 2012 13:42:55 -0700
On Oct 15, 2012, at 12:54 PM, Perry Smith <pedzsan@xxxxxxxxx> wrote:

> With a fairly simple ftp trace where we capture only the first 128 bytes of data, wireshark displays that it did not see the previous segment.  The IP header says that it is a 1500 byte packet.  Wireshark is using the capture lengh of 128 instead of the real packet length.  e.g. the next sequence is the current sequence plus the captured length, not the IP packet length.

If by "sequence" you mean TCP sequence number, and the actual packet length as recorded in the file is more than 128 bytes, that would *absolutely* be a Wireshark bug - the captured length should be used in as few places as possible; it should *only* be used to check whether particular packet data is actually available in the captured data, it should *never* be used as an indication of how much data there actually *is*.

However, I'm not seeing that in a tcpdump capture I did with a snapshot length of 128; in the Frame section of the 1500-byte IP datagram, what do the "Frame Length" and "Capture Length" fields say?  "Frame Length" *should* say 1514 (I'm assuming from the "1500" that this is IP-over-Ethernet, with a 14-byte Ethernet header); if it's only 128, the file wasn't recorded correctly (or was recorded by software that, for some reason, wasn't able to get the packet's actual length).