Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] tvb_captured_length or tvb_reported_length?

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Wed, 2 Sep 2015 19:44:16 +0200
Hi Robert,

2015-09-02 19:33 GMT+02:00 Robert Cragie <robert.cragie@xxxxxxxxxxxxx>:

I am trying to understand the changes to the previous use of tvb_length(). There are now two functions (and their associates):

* tvb_captured_length()
* tvb_reported_length()

As far as I can tell, tvb_captured_length() is the direct replacement for tvb_length() but tvbuff.h says "You probably want tvb_reported_length instead.". The use of both seems to be mixed throughout the files and it's difficult to follow the relationship between the two. So any guidance on this would be appreciated.


tvb_reported_length -> the size of the packet as it was transmitted on the wire (frame.len field in Wireshark)
tvb_captured_length -> the size of the packet captured by libpcap / Winpcap / XXX which is either equal to reported length, or shorter if a snaplen was configured for the capture (frame.cap_len field in Wireshark)

This starts to make a difference as soon as you have a capture taken with a snap length defined.

If you try to access a byte that is above the captured length, but within the reported length, Wireshark will catch this exception and display automatically in the info column and the packet details panel that the packet size was limited during capture (which is more useful than an error telling you that the packet is malformed which is not true in this case: you simply limited the bytes you wanted to capture for performance reasons).
So most of the time you are interested by reported length. But captured length is still useful for some specific use cases. For example in an heuristic dissector, when you are performing your tests to identify whether this is a packet for your protocol or not, you must ensure that the captured length is at least equal to the offset of the byte you want to access to. Otherwise the exception "packet size limited during capture" would be triggered and it would interrupt the processing of the packet (and thus preventing next heuristic dissector to be called).
So depending on the code you are writing, you must decide whether you want the reported or captured length. And the former is often what you really want. But it is sometims tricky to decide which one is relevant (that's where code review enters into the game :) ).

Hope it helps,
Pascal.