----- Original Message ----- From: "Jeff Curley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 10, 2004 9:20 PM Subject: [WinPcap-users] packet lengths off by 4 bytes?
> I am some what new to PCap, but I am familiar with network code and packet > sniffers, so I downloaded the Windows API (which By the way is incredible) > and wrote a UDP packet sniffer program in MFC in about 2 days to play > around and analyze some proprietary protocols, and I noticed something > strange. The packet lengths set in my: > > pcap_pkthdr > > by > > pcap_next_ex > > always differ from what EtherPeek (another Packet sniffer program) > captures, by 4 bytes. To test it just to make sure I hadn't screwed up > something with my implementaion, I ran Ethereal and EtherPeek at the same > time and sure enough they come across as different. After looking at the > data, it appears that the EtherPeek packet all had an appended 4 bytes of > NULL added to them. So the question is, is PCap stripping these off, or is > EtherPeek adding them on? WinPcap does not strip any byte from packets. Since they do not contain valid data (FFFF) I think it's some sort of frame tail used by the etherpeek capturing engine (just my opinion, of course). Have a nice day GV > > Thanks for your time and I apologize if this question has been asked > previously, I scoured the previous 4 pages of mailing list subjects and > didn't see anything that looked like it addresses this. > > --jeff > > > > > > ================================================================== > This is the WinPcap users list. It is archived at > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > To unsubscribe use > mailto: [EMAIL PROTECTED] > ================================================================== > ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
