Sorry for my late reply,

>From your article, I understand that the *Captured Packet Length* is the *Frame
Length/Length on wire/real length* and *Original Packet Length* is the
"*Capture
Length/captured length*" in the attached picture.

My issue is that the capture card in our system always writes packets
with "*Original
Packet Length*" bigger than or equal to the "*Captured Packet Length"
*(attached
example pcap file). In your article, "*Original Packet Length*" can be
greater than "*Captured Packet Length", *so I don't think that is an error
from my capture card.

Since Wireshark marks this issue as a malformed error, I think it also
leads to incorrect FCS checking.

Please help me correct my understanding if I'm wrong.

Best regards,
Khanh
 frame_error.pcap
<https://drive.google.com/file/d/1YPewOtZttjeG64EtzxGJaLm5R-qfWmut/view?usp=drive_web>

On Thu, Mar 23, 2023 at 11:35 AM Guy Harris <ghar...@sonic.net> wrote:

> On Mar 22, 2023, at 11:40 AM, Duy Khanh Pham via Wireshark-dev <
> wireshark-dev@wireshark.org> wrote:
>
> > My case for this request is when doing network data capturing with a
> capture card. The capture card always sets the capture length to a multiple
> of 4 due to performance requirement.
> >
> > As a result, the real length will always be less than or equal to the
> set captured length.
>
> What do you mean here by "capture length"?
>
> In the record header of packet records in pcap files:
>
>
> https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcap.html#name-packet-record
>
> the two length fields are defined as follows:
>
>         Captured Packet Length (32 bits):
>                 an unsigned value that indicates the number of octets
> captured from the packet (i.e. the length of the Packet Data field). It
> will be the minimum value among the Original Packet Length and the snapshot
> length for the interface (SnapLen, defined in Figure 1).
>
>         Original Packet Length (32 bits):
>                 an unsigned value that indicates the actual length of the
> packet when it was transmitted on the network. It can be different from the
> Captured Packet Length if the packet has been truncated by the capture
> process; it SHOULD NOT be less than the Captured Packet Length.
>
>                 A pcap file writer MAY write an Original Packet Length
> that is less than the Captured Packet Length if both the Captured Packet
> Length and the Original Packet length came from a file in which a packet
> had an Original Packet Length less than the Captured Packet Length;
> otherwise, it MUST write an Original Packet Length that is greater than or
> equal to the Captured Packet Length.
>
>                 A pcap file reader MAY convert an Original Packet Length
> that is less than the Captured Packet Length to a value that is greater
> than or equal to the Captured Packet Length.
>
> and, in the block header of Enhanced Packet Blocks in pcapng files:
>
>
> https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcapng.html#name-enhanced-packet-block
>
> they are defined as follows:
>
>         * Captured Packet Length (32 bits): an unsigned value that
> indicates the number of octets captured from the packet (i.e. the length of
> the Packet Data field). It will be the minimum value among the Original
> Packet Length and the snapshot length for the interface (SnapLen, defined
> in Figure 10). The value of this field does not include the padding octets
> added at the end of the Packet Data field to align the Packet Data field to
> a 32-bit boundary.
>
>         * Original Packet Length (32 bits): an unsigned value that
> indicates the actual length of the packet when it was transmitted on the
> network. It can be different from the Captured Packet Length if the packet
> has been truncated by the capture process; it SHOULD NOT be less than the
> Captured Packet Length.
>
>         A pcapng file writer MAY write an Original Packet Length that is
> less than the Captured Packet Length if both the Captured Packet Length and
> the Original Packet length came from a file in which a packet had an
> Original Packet Length less than the Captured Packet Length; otherwise, it
> MUST write an Original Packet Length that is greater than or equal to the
> Captured Packet Length.
>
>         A pcapng file reader MAY convert an Original Packet Length that is
> less than the Captured Packet Length to a value that is greater than or
> equal to the Captured Packet Length.
>
> Unless the capture card is slicing packets should, both the "captured
> length" and the "real length" should have the *exact same value*, which
> should reflect the number of bytes worth of packet data, *not* including
> any padding added by the capture card.  In addition, the padding should
> *not* be written to the capture file.
>
> So what does the "capture length" refer to for your capture card?
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to