Wireshark-users: Re: [Wireshark-users] Incorrect report by wireshark ?
From: "Guy Harris" <[email protected]>
Date: Thu, 27 Sep 2007 10:02:47 -0700 (PDT)
Saikiran Madugula wrote:

> Now I understand. The report of xx bytes on *wire* by wireshark just
> confused me a lot.

The intent was to distinguish between the number of bytes in the packet,
as received by the host running Wireshark, and the number of bytes the
packet capture mechanism supplied to Wireshark (you can specify that no
more than the first N bytes of a packet be supplied to Wireshark/TShark or
to tcpdump, if you are, for example, interested only in IP and TCP
headers; that reduces memory bandwidth, disk bandwidth, and disk space
used when capturing, and reduces the chances of packets being dropped).

There might be a better way of expressing "number of bytes in the packet
as received" that doesn't imply that it's the raw size of the packet on
the network.