-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is it legal for an EPB capture length value to be different than snaplen/origlen? #35
Comments
No, Packet Capture Length can be less than SnapLen, so I think we have to change this. SnapLen is just one value for all packets, but we may see packets with different "captured packet length" values. One example is that when cutting packets after the TCP header the actual remaining capture packet length depends on the length of the IP and TCP headers (which may vary for multiple packets, depending on what options were present). So Wireshark is doing it right in my point of view. IDBs SnapLen seems only relevant for SPBs, as you mentioned. |
I.e., SnapLen is only "normative" for SPBs; it's just "informative" if you don't have any SPBs, as in "just thought you might like to know that this was the slicing length specified when the capture was done"? |
Yes, SPBs need the SnapLen info. EPB may have a smaller packet capture length. |
A file could contain both EPBs and SPBs, and according to the spec this may Of course I seriously doubt anyone would ever do that, but let's pretend In hindsight, I think the SPB should probably never have been defined. We On Sat, Aug 29, 2015 at 2:35 PM, Guy Harris [email protected]
|
What if the EPB's Capture Length field is bigger than SnapLen? On Sat, Aug 29, 2015 at 3:27 PM, Jasper Bongertz [email protected]
|
I was thinking about a bigger Capture Length than SnapLen and I think it's unlikely but not impossible. Some packets may be edited at a later time (e.g. sanitizing them, or preparing a replay) where the packet ends up with more bytes than were captured. In that case Capture Length could exceed SnapLen. |
One possibility might be to describe SnapLen as a limit specified as part of the capture process, and indicate that packets in an EPB (or PB) might have a capture length greater than the SnapLen if the packet content has been edited. However, we must then indicate that packets in an SPB MUST not be edited in any fashion that changes their length. |
Currently the draft says this for EPB's (and the deprecated Packet Block) Capture Length field:
So does this mean it MUST be
MIN(SnapLen, Original Packet Length)
, and cannot be more or less than it? (unless SnapLen is 0 obviously)I ask because Wireshark currently just uses the Capture Length value, ignoring the SnapLen and Original Packet Length. I had thought this was just a bug in Wireshark, but I'm not sure it is. One could argue that the IDB's SnapLen should only apply to the capture length of Simple Packet Blocks.
The text was updated successfully, but these errors were encountered: