Re: snaplen vs number of bytes actually saved

[Guy Harris <guy () alum mit edu>]

On Oct 30, 2003, at 4:01 PM, Aaron Turner wrote:

> So I've got an old pcap file which I don't remember the actual snaplen 
> used.
> Now I know the pcap_file_header keeps a record of this (in my case 144
> bytes).  What is strange though, is that the file actually has a 
> maximum
> of 158 bytes stored (I can see the extra bytes in ethereal).

158-144 = 14, i.e. the length of an Ethernet link-layer header.

Whatever program wrote the file (or whatever version of libpcap it was 
using) probably put the snapshot length minus the link-layer header 
length, not the actual snapshot length (which includes the link-layeer 
header), into the file.

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe