Packet length mismatch while using libpcap

2
votes

I am capturing packets using libpcap. I am calculating the payload size as given here size_payload = ntohs(ip->ip_len) - (size_ip + size_tcp);
Now, for a packet, size_payload is 1228, ethernet header is 14 bytes, IP header is 20 bytes, TCP header is 32 bytes. While header.caplen and header.len are 1514 bytes. Shouldn't size_payload+size_ip+size_tcp+size_ethernet be equal to header.caplen? Also, when I dump the same packets using tcpdump, the capture length is shown as 1514. Why do these differ? I expected ntohs(ip->ip_len) to be equal to header.caplen and header.len

EDIT
I expected ntohs(ip->ip_len) to be equal to header.caplen and header.len. But what I find is ntohs(ip->ip_len) = 1280 and header.caplen = header.len = 1514

1
networkingnetwork-programmingwiresharklibpcaptcpdump
On what OS are you doing the capture? And what do you mean by "Also, when I dump the same packets using tcpdump, the capture length is shown as 1514."? You say that "differs", but if you say that header.caplen is 1514 in your program, and that tcpdump shows the "capture length" as 1514, that sounds as if they're reporting the same thing. - user862787

1 Answers

1
votes

The caplen says how much of the packet may be captured, not necessarily how much actually was. You need to compare that value with the len field.

If caplen >= len you know that you should have the entire packet contents available. Otherwise, the packet capture has been truncated.