Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] “bytes on wire” vs. “bytes captured”

From: Holger Pfrommer <HPfrommer@xxxxxxxxxxxx>
Date: Fri, 19 Jul 2019 12:52:57 +0000

Hi,

 

I was wondering about a fact regarding the reported frame lengths in Wireshark.


The frame dissector states “bytes on wire” and “bytes captured” values.

I understand that these values where initially generated by the values caplen and len in the pcap packet header as follows:

struct pcap_pkthdr {

                struct timeval ts;              /* time stamp */

                bpf_u_int32 caplen;       /* length of portion present */

                bpf_u_int32 len;              /* length this packet (off wire) */

};

 

This is useful if the capture device cuts off data but wants to report the original length and thus tvbuff also provides the values length and reported_length.

struct tvbuff

                /** Amount of data that's available from the capture

                * file.  This is the length of virtual buffer (and/or

                * real_data).  It may be less than the reported

                * length if this is from a packet that was cut short

                * by the capture process.

                *

                * This must never be > reported_length or contained_length. */

                guint                                     length;

 

                /** Amount of data that was reported as being in

                * the packet or other data that this represents.

                * As indicated above, it may be greater than the

                * amount of data that's available. */

                guint                                     reported_length;

….

};

 

Thus, as stated in the comment above length never must be larger than reported_length, which is true if the capture device drops data.

 

Now my question: I would be very useful to use pcap’s caplen and len values to report original packet length while a capture device adds additional data to a frame, for example a header containing some more details about the frame itself.

In such a case, I would expect that pcap’s len would be set to the original’s frames length, while caplen would be frame length plus header length. That a header is present and how it can be decoded is detectable by the link layer type.

 

Unfortunately, when I tested this, Wireshark truncates reported_length, cutting of the data buffer which container the additional header information.

 

Is there any reason for that type of implementation?

It would be really great if Wireshark would report a “bytes on wire” value which actually shows the original frames length on wire, while “bytes captured” would show the larger value including the header part.

 

BR,

Holger

 


Hilscher Gesellschaft für Systemautomation mbH   |  Rheinstrasse 15  |  65795 Hattersheim  |  Germany  |  www.hilscher.com
Sitz der Gesellschaft / place of business: Hattersheim  |  Geschäftsführer / managing director: Dipl.-Ing.
Hans-Jürgen Hilscher
Handelsregister / commercial register: Frankfurt B 26873  |  Ust. Idnr. / VAT No.: DE113852715
Registergericht / register court: Amtsgericht Frankfurt/Main

Important Information:
This e-mail message including its attachments contains confidential and legally protected information solely intended for the addressee. If you are not the intended addressee of this message, please contact the addresser immediately and delete this message including its attachments. The unauthorized dissemination, copying and change of this e-mail are strictly forbidden. The addresser shall not be liable for the content of such changed e-mails.

Wichtiger Hinweis:

Diese E-Mail einschließlich ihrer Anhänge enthält vertrauliche und rechtlich geschützte Informationen, die nur für den Adressaten bestimmt sind. Sollten Sie nicht der bezeichnete Adressat sein, so teilen Sie dies bitte dem Absender umgehend mit und löschen Sie diese Nachricht und ihre Anhänge. Die unbefugte Weitergabe, das Anfertigen von Kopien und jede Veränderung der E-Mail ist untersagt. Der Absender haftet nicht für Inhalte von veränderten E-Mails.