I'm inspecting a pcap file with Wireshark and some of the entries have this written in their information field:
10001 → 27017 Len=121[Packet size limited during capture]
I read that this happens when you capture packets with tcpdump and tcpdump cuts off the packet at a specific length.
What does 10001 → 27017 mean?
In the information field it says Len=121, but in the Length field it says it is 163 Bytes long. What is the correct length?
What does 10001 → 27017 mean?
As @SteffenUllrich pointed out, these are the ports.
In the information field it says Len=121, but in the Length field, it says it is 163 Bytes long. What is the correct length?
I am not entirely sure, but I think the difference in the length could be because of the [Packet size limited during capture].
By default, Director has a packet size limit to capture data on the wire. Larger packets than the packet size limit will show "Packet size limited during capture" when reading the packet capture. Taking a capture on larger packet sizes increases the processing time of packets. (https://knowledge.broadcom.com/external/article/165718/error-packet-size-limited-during-capture.html)
So, my speculation is that the packet is 163 bytes, but only 121 were captured.
