Wireshark-users: Re: [Wireshark-users] tcpdump with snaplen set to 128

From: Perry Smith <pedzsan@xxxxxxxxx>
Date: Mon, 15 Oct 2012 18:01:38 -0500
On Oct 15, 2012, at 3:42 PM, Guy Harris wrote:

> 
> On Oct 15, 2012, at 12:54 PM, Perry Smith <pedzsan@xxxxxxxxx> wrote:
> 
>> With a fairly simple ftp trace where we capture only the first 128 bytes of data, wireshark displays that it did not see the previous segment.  The IP header says that it is a 1500 byte packet.  Wireshark is using the capture lengh of 128 instead of the real packet length.  e.g. the next sequence is the current sequence plus the captured length, not the IP packet length.
> 
> If by "sequence" you mean TCP sequence number, and the actual packet length as recorded in the file is more than 128 bytes, that would *absolutely* be a Wireshark bug - the captured length should be used in as few places as possible; it should *only* be used to check whether particular packet data is actually available in the captured data, it should *never* be used as an indication of how much data there actually *is*.
> 
> However, I'm not seeing that in a tcpdump capture I did with a snapshot length of 128; in the Frame section of the 1500-byte IP datagram, what do the "Frame Length" and "Capture Length" fields say?  "Frame Length" *should* say 1514 (I'm assuming from the "1500" that this is IP-over-Ethernet, with a 14-byte Ethernet header); if it's only 128, the file wasn't recorded correctly (or was recorded by software that, for some reason, wasn't able to get the packet's actual length).

Yes.  "sequence" referred to the TCP sequence number.

Hmm...  odd... I see what you are saying.

Frame Length and Capture Length both say 128 bytes.

This was a 1500 byte packet with ethernet header (no vlan tag) -- so probably 1514.  The very first line essentially repeat these values too.  I noticed it but didn't put 2 and 2 together.  "128 bytes on the wire (1024 bits), 128 bytes captured (1024 bits)"

Let me ask the person who capture it how he did it and see where that takes us.  This has happened more than once but may have used the same tools to capture the trace.

Back on my original question: would you say that sense the Frame Length is bogus, wireshark is doing as well as expected?

Thank you very much for your time,
Perry Smith