Sorry for my late reply, >From your article, I understand that the *Captured Packet Length* is the *Frame Length/Length on wire/real length* and *Original Packet Length* is the "*Capture Length/captured length*" in the attached picture.
My issue is that the capture card in our system always writes packets with "*Original Packet Length*" bigger than or equal to the "*Captured Packet Length" *(attached example pcap file). In your article, "*Original Packet Length*" can be greater than "*Captured Packet Length", *so I don't think that is an error from my capture card. Since Wireshark marks this issue as a malformed error, I think it also leads to incorrect FCS checking. Please help me correct my understanding if I'm wrong. Best regards, Khanh frame_error.pcap <https://drive.google.com/file/d/1YPewOtZttjeG64EtzxGJaLm5R-qfWmut/view?usp=drive_web> On Thu, Mar 23, 2023 at 11:35 AM Guy Harris <ghar...@sonic.net> wrote: > On Mar 22, 2023, at 11:40 AM, Duy Khanh Pham via Wireshark-dev < > wireshark-dev@wireshark.org> wrote: > > > My case for this request is when doing network data capturing with a > capture card. The capture card always sets the capture length to a multiple > of 4 due to performance requirement. > > > > As a result, the real length will always be less than or equal to the > set captured length. > > What do you mean here by "capture length"? > > In the record header of packet records in pcap files: > > > https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcap.html#name-packet-record > > the two length fields are defined as follows: > > Captured Packet Length (32 bits): > an unsigned value that indicates the number of octets > captured from the packet (i.e. the length of the Packet Data field). It > will be the minimum value among the Original Packet Length and the snapshot > length for the interface (SnapLen, defined in Figure 1). > > Original Packet Length (32 bits): > an unsigned value that indicates the actual length of the > packet when it was transmitted on the network. It can be different from the > Captured Packet Length if the packet has been truncated by the capture > process; it SHOULD NOT be less than the Captured Packet Length. > > A pcap file writer MAY write an Original Packet Length > that is less than the Captured Packet Length if both the Captured Packet > Length and the Original Packet length came from a file in which a packet > had an Original Packet Length less than the Captured Packet Length; > otherwise, it MUST write an Original Packet Length that is greater than or > equal to the Captured Packet Length. > > A pcap file reader MAY convert an Original Packet Length > that is less than the Captured Packet Length to a value that is greater > than or equal to the Captured Packet Length. > > and, in the block header of Enhanced Packet Blocks in pcapng files: > > > https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcapng.html#name-enhanced-packet-block > > they are defined as follows: > > * Captured Packet Length (32 bits): an unsigned value that > indicates the number of octets captured from the packet (i.e. the length of > the Packet Data field). It will be the minimum value among the Original > Packet Length and the snapshot length for the interface (SnapLen, defined > in Figure 10). The value of this field does not include the padding octets > added at the end of the Packet Data field to align the Packet Data field to > a 32-bit boundary. > > * Original Packet Length (32 bits): an unsigned value that > indicates the actual length of the packet when it was transmitted on the > network. It can be different from the Captured Packet Length if the packet > has been truncated by the capture process; it SHOULD NOT be less than the > Captured Packet Length. > > A pcapng file writer MAY write an Original Packet Length that is > less than the Captured Packet Length if both the Captured Packet Length and > the Original Packet length came from a file in which a packet had an > Original Packet Length less than the Captured Packet Length; otherwise, it > MUST write an Original Packet Length that is greater than or equal to the > Captured Packet Length. > > A pcapng file reader MAY convert an Original Packet Length that is > less than the Captured Packet Length to a value that is greater than or > equal to the Captured Packet Length. > > Unless the capture card is slicing packets should, both the "captured > length" and the "real length" should have the *exact same value*, which > should reflect the number of bytes worth of packet data, *not* including > any padding added by the capture card. In addition, the padding should > *not* be written to the capture file. > > So what does the "capture length" refer to for your capture card?
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
